The hidden threat of third-party applications

Since a year and a half ago, Facebook gave green light to third-party applications, millions of users have hosted additional icons on their pages with games, music and movie recommendations, as well as other tools for burning life. Along with this, as the popularity of third-party applications grows, computer security experts are increasingly worried about how to prevent abuse. What allows social networks to distribute applications so efficiently — access to user connections — can be an ideal mechanism for spreading malware.

A number of studies have shown that there is still reason for concern. At the Information Security Conference this week in Taiwan, employeesThe Hellas Research and Technology Center (FORTH) presented the results of an experiment in which some Facebook users participated. Researchers have developed a special application that displays photos from National Geographic on the user’s profile page. However, invisibly to the user, the application requests large graphic files on the attacked server - in this case, a special server owned by FORTH. If the application is installed on the pages of a sufficiently large number of users, then the flow of requests can be so huge that the server simply can not withstand the load and become inaccessible.

One of the participants in the FORTH project, Eli Atanasopolos, said that the researchers were not involved in the targeted promotion of their application, however, as it turned out, about 1000 Facebook users installed it themselves within the first day. The attack that followed as a result was not so powerful, but, according to Eli, it is quite capable of incapacitating a small website, and in addition, he suggests that there are ways to significantly increase its power. The attack is based on open access to the Facebook platform. “It’s far from easy to find a way to provide the platform (to third-party developers) so that it cannot lead to negative consequences for the rest of the network,” Eli believes.

A more detailed analysis, which includes several different sites of social services, shows that the possible damage can be much more significant. Two computer security consultants - Nathan Gamiel of the Hexagon Security Group and Sean Moer of Agura Digital Security - presented examples of malicious applications for the OpenSocial platform, which is used by MySpace, hi5, Orkut and several other social services. One of their demo applications, called DoSer, disconnects from the site those users who view the profile of a hacked user for more than seven seconds. Another, called CSRFer, sends fake offers to make friends on behalf of the user whose account has been attacked. Gamiel believes that there are a lot of ways to do it in social services, and that to resist attackers is not an easy task. “The application penetrates very deeply under the skin of the service,” says Nathan.

The main problem is that it is not always easy for users to figure out what exactly a particular application for a social service does. “As a user, you cannot verify what actions the application performs,” says Royel Schauenberg from the Belgian branch of Kaspersky Lab . “Personally, as a computer security specialist, this fact is by no means a pleasure.”

According to Hamiel, the social factor also plays an important role, since social services create an atmosphere of trust, which is what cybercriminals use. For example, recently on Facebook under the guise of an update for Flash, a malicious program was spreading, which people transmitted to each other in a viral way. “It was the social factor that caused users to commit destructive, from a technical point of view, actions,” Gamiel believes.

The companies behind social services are only now beginning to pay attention to security issues. For example, Facebook recently created a special “ security page. ””, Where users can enlighten themselves at the expense of possible dangers that may lie in wait on the site. According to the company, its security team "tirelessly, work on identifying vulnerabilities in its own system, and also works with the external community, inviting to indicate that it goes unnoticed."

Gamiel is worried that it is not possible to be 100% safe from malware. He points out that an attacker can develop an application that will seem completely harmless, but as soon as the number of users who install it reaches a certain point, the owner will easily turn it into a destructive program by updating the application with malicious code.

Limiting the capabilities of all applications also does not seem to be a suitable solution to the problem, since this step will deprive them of what they attract users to themselves. “The situation is delicate, because the goal of social services is to foster creative imagination and communication,” says Nathan. "Stopping this creative means acting against the service itself."

According to Athanosopolos, the best solution would be to hire special programmers who would check the code that the external applications consist of. However, he understands that the cost of such a service would be unacceptable to most companies.

Hamiel believes that as social services grow in popularity, attacks will become more frequent. “People are less attentive to programs that run from the browser than to those that need to be downloaded and installed on the hard drive,” Nathan notes. He believes that in the future, the attitude towards such things should change.

Translation from English:
Roman Ravve

Specially for worldwebstudio