Nathan Hamiel (right) and Shawn Moyer (left) love social sites from MySpace to Facebook. But at the Defcon and Black Hat security conferences this year, they gave talks about how easy it is to compromise web sites that accept user-generated content.
The arms race to aggregate content into social sites is leading to a “broader attack surface.” Virus creators know they can get a better payoff if they exploit social networking to help spread their wares.
The two security researchers are no strangers to the topic. Last year, they gave a talk about hacking MySpace and called it “Satan is on my friends list.” They found that user-generated content introduced a whole set of security concerns because it brings in content from third parties who may or may not be reliable. One way to exploit user-generated content sites is with cross-site request forgery, which gets around authentication methods.
This year, they introduced MonkeyFist, a tool that automates the process of doing cross-site request forgeries. In other words, you still can’t trust your friends list.