* Jennifer Leggio is on vacation
Guest editorial by Shawn Moyer and Nathan Hamiel, who presented “Satan is on my Friends List: Attacking Social Networks” at BlackHat and Defcon earlier this month.
Ultimately, we blame Jeff Moss for all of this. Earlier this year, the founder of Black Hat and Defcon asked the security community to join the Black Hat and Defcon LinkedIn groups. To our own occasional chagrin, we’re both very active users of social networks (hereafter SocNets, easier to type and we’re not being paid by the word), so we found ourselves compelled to join but also a bit skeptical. Would a bunch of paranoid-by-nature and paranoid-by-profession hackers and security professionals fly the SocNet flag and buddy up? No way, right?
Well, both groups have just under 2,000 members at this point, so it looks like the answer is a resounding yes. If a pretty broad sample of InfoSec folks are using SocNets, it seems to stand to reason that things must be improving on the SocNet security front now, right? We couldn’t really say for sure. We both had a gut feeling, but wanted to have a better idea of how bad (or, yes, even how good) things really were.
A few months later, at Black Hat and Defcon were pretty flummoxed by the response to what ultimately was a silly talk about privilege escalation on Adult Friend Finder, performing the MySpace equivalent of K-Lining, and using social engineering to poke some fun at journalists and the security blogosphere.
Still, as SocNets and social media become more and more a part of our daily lives, and as the race to go to market and to gain marketshare continues, we think SocNet security will continue to become a larger problem, and recent activity seems to show that the appeal of a large and active userbase as a target for the malware industry is hard to ignore.
Further down the rabbit hole, in which we find some ugly things
So, rewinding a few months back… Talk submitted to Defcon and Black Hat, check. Nathan and Shawn working on projects in the same city for a couple of months, check. Cider and box wine acquired, check. We fired up our interception proxies, passive audit tools, a few other toys, cranked up “Waiting Room”, and prepared to sequester ourselves a few nights a week for a couple of months, to see what things looked like across the board.
We found our first exploitable bug in around a half hour, on the first SocNet we looked at. This became something of a theme, and we found ourselves pretty disappointed each night if the booze ran out (or it got too late) before we found something troubling, or at least interesting. We both do Web app security testing, mostly for larger ecommerce sites, in our day jobs, and so looking at an architecture as trusting and open as a social network was kind of like playing slow pitch softball over beers in the park after trying to strike out Albert Pujols for nine innings.
The above is certainly not to say that we’re ninjas, security masterminds, or anything of the sort. There are lots of very smart people (none of which are us) looking at Web application security. What we found, though, is that attacking someone via a SocNet, or at least via a lot of the SocNets we looked at, often didn’t require Javascript filter ninjitsu, multi-stage payloads, or even, at least in our case, a modicum of sobriety. Did we mention we’d been drinking?
Ugly things enumerated: SocNet apps
For those taking notes, here’s the simplest way to get arbitrary code execution in the browsers of millions of users (no exaggeration — the top SocNet applications on Facebook and MySpace have 21 million and 8 million users, respectively) suitable for BotNet propagation, phishing, pharming, click fraud, DoSing, a fully meshed global RickRolling spam farm, or some other purpose so nefarious we couldn’t imagine it ourselves, despite considerable effort and numerous demonic incantations.
Just ask for permission.
Specifically, go through the trivial process of signing up to be a SocNet App developer. On Facebook permission to publish an app means having five friends, on MySpace it means filling out an application form (ours claimed we were working on a messaging system using the “unbreakable ROT13 encryption algorithm”), and providing a few easily-forged bits of personal information. Signing up to develop apps on SocNets is a shockingly trivial process, and results in being given the keys to Dad’s car and the liquor cabinet to boot, as it were.
