GIFARs about to make security a bit more interesting

One of my predictions for 2008 (December 4, 2007 )  was that Facebook would be attacked through its open platform that enables anyone to write widgets for it.  

1.       Facebook widgets will be used to distribute malware. Facebook, the hugely popular social networking site with millions of users has recently introduced the ability of users to create and publish small applications, widgets. These applications could be for just about anything. I have seen one that asks you to compare your friends in a "hot or not" like manner. Another, a simple game, is a blatant rip-off of Scrabble. Facebook hosts these applications and makes it possible for users to share and interact with them. In 2008 we will see attempts to exploit Facebook through these widgets. It could be through a vulnerability in an existing application that could for instance allow the download of a malicious Trojan. Or, it could be a new application deployed to steal information or infect visitors' computers.

This came to fruition on  January 3, 2008 when it was discovered that the "Secret Crush" widget was installing the malicious Zango app. (Update. Secret Crush merely enticed people to install Zango. It did not directly install it. Thanks to 180Solutions for that correction.)

The "Secret Crush" Widget suggests that someone has a secret crush on the recipient and to find out he/she has to install the Widget and oh, btw, invite five Friends to do so as well. The Widget then proceeds to install the Zango malware that we all know and love. (Remember when Zango was installed via Myspace videos? )

A researcher at Ernst and Young has developed a clever hybrid of a Gif image and a Java Archive that is being  dubbed a GIFAR,  which could conceivably be uploaded to any site that allows file uploads and then anyone who "viewed" it and was simultaneously logged in to their Facebook, Myspace, or Flickr account could have their credentials stolen.  Kudos to Nate McFeters for discovering /demonstrating such a sophisticated attack.  He is presenting his technique at BlackHat this week with the usual frustrating omission of "key elements".  In other words, just enough is left out so determined hackers can figure it out but developers at Facebook and Myspace will struggle until a working exploit is deployed.   Nate suggests that web application sites should be filtering uploads to prevent GIFARs from getting deployed, although he claims this will be extremely hard to do.    I sure hope the content filtering and Web Application Firewall vendors are working on simple tools to make this possible.  

Nate points out that this is not a Facebook-MySpace issue, it is true of all sites that allow image uploads.  Hmm, that is ALL blogs.  We are talking hundreds of millions of sites.   It will be a long time (as in never) before that many sites are fixed.  

In the meantime, be prepared for a web that is just a little spookier to use.


Copyright © 2008 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022