One of my predictions for 2008 (December 4, 2007 ) was that Facebook would be attacked through its open platform that enables anyone to write widgets for it.
1. Facebook widgets will be used to distribute malware. Facebook, the hugely popular social networking site with millions of users has recently introduced the ability of users to create and publish small applications, widgets. These applications could be for just about anything. I have seen one that asks you to compare your friends in a "hot or not" like manner. Another, a simple game, is a blatant rip-off of Scrabble. Facebook hosts these applications and makes it possible for users to share and interact with them. In 2008 we will see attempts to exploit Facebook through these widgets. It could be through a vulnerability in an existing application that could for instance allow the download of a malicious Trojan. Or, it could be a new application deployed to steal information or infect visitors' computers.
This came to fruition on January 3, 2008 when it was discovered that the "Secret Crush" widget was installing the malicious Zango app. (Update. Secret Crush merely enticed people to install Zango. It did not directly install it. Thanks to 180Solutions for that correction.)
The "Secret Crush" Widget suggests that someone has a secret crush on the recipient and to find out he/she has to install the Widget and oh, btw, invite five Friends to do so as well. The Widget then proceeds to install the Zango malware that we all know and love. (Remember when Zango was installed via Myspace videos? )
A researcher at Ernst and Young has developed a clever hybrid of a Gif image and a Java Archive that is being dubbed a GIFAR, which could conceivably be uploaded to any site that allows file uploads and then anyone who "viewed" it and was simultaneously logged in to their Facebook, Myspace, or Flickr account could have their credentials stolen. Kudos to Nate McFeters for discovering /demonstrating such a sophisticated attack. He is presenting his technique at BlackHat this week with the usual frustrating omission of "key elements". In other words, just enough is left out so determined hackers can figure it out but developers at Facebook and Myspace will struggle until a working exploit is deployed. Nate suggests that web application sites should be filtering uploads to prevent GIFARs from getting deployed, although he claims this will be extremely hard to do. I sure hope the content filtering and Web Application Firewall vendors are working on simple tools to make this possible.
Nate points out that this is not a Facebook-MySpace issue, it is true of all sites that allow image uploads. Hmm, that is ALL blogs. We are talking hundreds of millions of sites. It will be a long time (as in never) before that many sites are fixed.
In the meantime, be prepared for a web that is just a little spookier to use.
About Stiennon
Richard Stiennon is a security industry analyst. He is currently consulting, speaking and writing on all manner of security topics for IT-Harvest, the IT research firm he founded to cover the security space. He was most recently chief marketing officer for Fortinet. He has served stints at PricewaterhouseCoopers, Gartner, and Webroot Software.
The opinions expressed in this Weblog are those of the writer and may not represent the opinions of Network World.
|
|
Thanks!
Rich, thanks for the coverage. The reason we are leaving out a few details is that they are key to exploiting the issue through java, but not key to understanding the attack. Once sun has released their patch, we will provide the missing details, but companies should keep in mind this will not be the long term fix.
Billy Rios, John Heasman, Rob Carter, and I have already been in communication with a few vendors who are diligently working to address the issue. For any vendors who have questions, they can reach me at and I will do my best to help them address this issue. I will also have some updates on my blog at http://blogs.zdnet.com/security.
Thanks,
Nate McFeters
Still worried
Nate: I am still worried that with the hundreds of millions of web sites that are going to be vulnerable there will be wide spread use of GIFARs for exploits long before all of our web servers, browsers, etc. can be fortified. Just like sequal injection is a generic attack that billions of web sites are vulnerable to and the problem will never go away as long as people use sloppy coding which is forever. :-)
I can't argue that researchers should not uncover these things but this one is a doozy! Right up there with the DNS vuln that we will get fuller disclosure on this week.
RS
Yeah, it's bad
Agreed, it's real bad. Hence the title of our talk. I think we're doing the best we can with a tough situation. I think Sun is going to have a patch available shortly after Black Hat that will give us a temporary fix, but there will just be another vector like this somewhere down the road.
Billy and I talked about taking ownership of content, or as we like to call it taking pwnership of content, last year at DEFCON. Back then, we were uploading Flash cross domain policy files in this fashion. We still have some simple attacks like that. One of the flaws we'll demo in our talk is a straight up upload of a java applet to the site. Forget GIFARs.
People need to understand the dangers of accepting user uploaded data and hosting it from the same domain as the application itself. The GIFAR stuff is interesting, but the end result is that even with that gone, this is still an issue in some cases.
-Nate
Post new comment