Hidden threat of third-party applications

Since a year and a half ago, Facebook has given a green light to third-party applications, millions of users have sheltered additional icons on their pages with games, music and film recommendations, as well as other tools for living. At the same time, as the popularity of third-party applications grows, computer security experts are increasingly worried about how to prevent abuse. What allows social networks to distribute applications so effectively - access to user connections - can be the perfect mechanism for distributing malware.

A number of studies have shown that there is reason for concern. At the Conference on Information Security , which was held this week in Taiwan, employees of the Center for Research and Technology of Hellas (FORTH) presented the results of an experiment in which some Facebook users took part. Researchers have developed a special application that shows on the user profile page photos from National Geographic. However, imperceptibly for the user, the application requests large graphic files on the attacked server - in this case, a special server belonging to FORTH. If the application is installed on pages of a sufficiently large number of users, the flow of requests may be so huge that the server will simply not sustain the load and become unavailable.

One of the participants of the FORTH project, Eli Atanasopolos, said that the researchers did not focus on promoting their application, however, as it turned out, about 1,000 Facebook users installed it during the first day. The attack that followed was not so powerful, but, according to Eli, it is quite capable of disabling a small website, and besides that, he assumes that there are ways to significantly increase its power. The attack is based on open access to the Facebook platform. “It’s not at all easy to find such a way to provide a platform (for third-party developers) so that it could not lead to negative consequences for the rest of the network,” Eli said.
')
A more detailed analysis, including several different social service sites, shows that the possible damage could be much more significant. Two computer security consultants, Nathan Gamiel from Hexagon Security Group and Sean Moyer from Agura Digital Security , presented examples of malicious applications for the OpenSocial platform, which is used by MySpace, hi5, Orkut and several other social services. One of their demo applications, called DoSer, disconnects from the site those users who view the profile of a hacked user for more than seven seconds. Another, called CSRFer, sends fake offers to make friends, on behalf of the user whose account has been attacked. Gamiel believes that there are a huge number of ways to mess things up on social services, and that resisting attackers is not an easy task. “The application penetrates very deep under the skin of the service,” says Nathan.

The main problem is that it is not always easy for users to figure out exactly what a particular application for a social service does. “As a user, you can’t check what the application does,” says Rohl Schauenberg of the Belgian branch of Kaspersky Lab . “To me personally, as a computer security specialist, this fact is by no means a pleasure.”

As Gamiel believes, the social factor also plays an important role, since social services create an atmosphere of trust, which is what the attackers use. For example, recently on Facebook under the guise of an update for Flash, a malicious program was distributed that people passed to each other in a viral manner. “It was the social factor that made users commit destructive, from a technical point of view, actions,” believes Gamiel.

Companies that are behind social services are only now beginning to pay attention to security issues. For example, Facebook has recently created a special “ security page ” on which users can learn about possible dangers that may lie in wait on the site. According to the company, its security team “is working hard to identify vulnerabilities in its own system, and also collaborates with the external community, inviting them to point out what remains unnoticed.”

Hamiel is concerned that it is impossible to insure yourself against malware. He points out that an attacker could develop an application that would seem harmless, but as soon as the number of users who installed it reaches a certain point, the host will easily turn it into a destructive program by updating the application with malicious code.

Limiting the capabilities of all applications also does not seem to be the appropriate solution to the problem, since this step will deprive them of what they attract users to. “The situation is delicate, because the goal of social services is to promote creative imagination and communication,” says Nathan. "To stop this creative, means to act against the service itself."

According to Atanosopolos, the best solution would be to hire special programmers who would check the code of which external applications consist. However, he understands that the cost of such a service will be unacceptable for most companies.

Gamiel believes that, as the popularity of social services grows, attacks will increase. “The people are less attentive to programs that run from the browser than to those that need to be downloaded and installed on the hard disk,” notes Nathan. He believes that in the future, the attitude towards the things of the pot should change.

Translation from English:
Roman Ravve

Especially for worldwebstudio