LAS VEGAS — Millions of people use social networks globally, and many of them are potentially at risk to be exploited by hackers. Security researchers Nathan Hamiel and Shawn Moyer took the stage at Black Hat here today to explain to attendees how easily various social networks could be compromised.
With attacks ranging from the humorous to the serious, the researchers clearly showed that social networks still have work to do when it comes to security.
“Social networks can be uses as an attack platform,” Hamiel said. “They’ve got millions of users and are a great place to target.”
Hamiel was quick to point out that though he and his partner had identified as many as 60 different vulnerabilities, none of them are actually zero-day issues. In fact the two researchers argued that many of the issues they found were all reported as features by social networks. As such they’re now trying to coin the term “featureabilities” to describe social network features that are actually vulnerabilities.
One of the flaws that the researchers demonstrated using MySpace was how to trick a user into adding another user as a friend. Moyer showed a simple exploit in which an attacker could use the commenting function to include a small 1×1 pixel image tag. That image tag actually includes a call to add another person as a friend. So when the person whose page is being commented on clicks to approve the comment, they are in fact approving the request to add a friend.
“It looks stupid but it’s a big problem,” Hamiel said. “If you’re trying to get friends really fast for a social attack it’s important. The bigger your network the more legitimacy you have. Friends are currency on social networks.”
Hamiel also demonstrated how a comment left on a MySpace user page could also be used to trigger an unintentional user logout. Hamiel described the attack as a form of Denial of Service (DoS). To make matters worse the particular code that Hamiel uses will also log the user out when they actually try and delete the comment, effectively locking them out of their account.
The researcher also showed how easy it was to do social engineering attacks with social networks. What they did was create a profile on the LinkedIn site for noted security personality Marcus Ranum the CTO of Tenable
Security.
Moyer noted that on any given social network there are what he called, “linkwhores.” These are people that will accept friend connections from anyone else. So the researchers sent out friend requests to people based on a Google search for people that had security in their profiles. Moyer claimed they had more than 50 connections within 24 hours. They also got invites from other people, among them was Ranum’s sister who was also fooled by the bogus profile.
The security researcher did the same trick on Twitter for noted security researcher Gadi Evron. Moyer claimed that the bogus Twitter profile actually received an interview request from a journalist who was looking for a source to talk about the Kaminsky DNS flaw.
MySpace flaws
The researchers also targeted MySpace applications. Among the flaws they found was the ability to use the site’s API as a proxy for traffic. As such the researchers were able to use a MySpace IP address, which could then possibly be used for whatever purpose they chose.
The advice the security researchers offered to social networks is that overall they should reduce their API functionality. Linking to external content is not a good thing, they said, as it could easily lead to various forms of cross-site scripting attacks.
Finally, while some might argue that they don’t want to be on social networks, it’s actually a good thing to have your own profile.
“If you create a profile and then someone else creates a profile, at least their will be a question about which one is valid,” Hamiel said. “You control your own privacy by having a profile.”