Shmoocon V: Fail 2.0

Hamiel and Moyer have apparently presented on the security failures of social networks, before. I arrived a little late at their talk on Saturday and barely managed to find a spot to stand.

Their talk resonated with one of the themes of Blaze’s key note. Many of the problems they discussed are ones that the network implementers and operators should have known better. They focused a good deal on MySpace, but also examined LinkedIn and Facebook. MySpace may have more problems because it is one of the older social networks. Worse, they institutionalized the inclusion of third party content as a large part of their platform.

Through their examples, I think Hamiel and Moyer suggest ways that this third party inclusion could have been achieved more safely. Some of the things they showed are just stunning, especially the simple DoS attack made possible by injecting enough JavaScript into a front page comment to exploit the application’s own logout function.

OpenSocial apparently has not fared better than the individual efforts by social network developers. Despite the opportunity to leverage broader expertise, the underlying focus of the work remains the same, user convenience in building and communicating with their network. Security really should be a priority with such standards focused, group efforts and I think their is an opportunity for true open alternatives like the work being done by the DataPortability and folks to do better.

The lack of attention to security has turned each of these networks increasingly into what the presenters referred to as botnet light.

The social aspect also makes these services very attractive targets for entirely non-technological attacks. It makes sense, the providers derive value from the results of the users’ social calculus, their participation in and construction of large personal graphs. One of the presenters described these groupings as essentially focus groups, which is what the ad driven services want, but also makes them ripe for very targeted, context dependent social engineering.

They discussed a couple of experiments they conducted to prove their point. In one, they spoofed Marcus Ranum’s profile on one of these sites, with his permission. On another, a more professionally oriented one, they fabricated a profile for a professional recruiter from whole cloth including several juicy job openings. In both cases it was astonishing the amount of personal information they were able to harness through legitimate means with an illegitimate profile. It really does call for social network providers to do something in the way of authenticating identity. Right now none of them appear to do much of anything.

They did mention some defensive efforts too. OpenSocial, for all its flaws, does include something called Caja. It is a subset of JavaScript that strips out the most dangerous bits. The only problem is it is an optional part of OpenSocial, providers have to opt-in by enabling it. Most apparently don’t know it exists or if they do what it is.

For their part, the presenters are currently working on a Firefox extension, CSRFblocker, somewhat inspired by AdBlocker. Even in the process of building the extension, though, they have uncovered some telling misunderstandings. Many of the existing content blocking tools only block the rendering of that content. The tools still make the request for that content so are still vulnerable to most attacks. Hopefully the new extension from hexsec will be available soon and will help shore up some of these deficiencies.

Technorati Tags: , ,

Leave a Reply

Your email address will not be published. Required fields are marked *