Dangerous MySpace Spam
Posted by: Tom
I have been doing lots of research over the last few months on online social networking sites to prepare for an upcoming talk that I am going to be giving on the latest threats to social networks...in particular MySpace, Facebook and LinkedIn.
Tonight I received new friend request from someone named "Elysabeth" in my email. Clicking on the link in the email takes you to the legitimate MySpace Friend Request Manager page which shows the below request:
Clicking on the picture takes you to the profile of Elysabeth. Check out the picture of what the profile looks like now after clicking on the profile.
EDIT: I didn't edit out the MySpace profile URL in the picture so don't hit up the URL and click on anything if you don't want to risk being infected!
Notice anything strange...like the Windows Update notification pop up? Looks pretty real huh? Clicking anywhere on the first half of the page pops up the dialog you see on the right side to download a .exe file....some nice malware for you to install. Enjoy! (only on a Windows box.... :-) ) Interesting to note that by scrolling down the page past the malware banner it looks like a legitimate MySpace profile. My guess is that this profile was hijacked either through XSS or some other third-party application vulnerability...the real owner probably has no clue.
On a related note, I just read an article on how Paris Hilton and Lindsay Lohan just had their private photos downloaded because of a flaw in a Yahoo/MySpace widget. Looks like Yahoo/MySpace fixed this flaw pretty quickly tonight but it goes to show that third-party applications and widgets are another popular attack vector.
One more update...Mediaphyter posted a link tonight on the 10 Social Networking Security Trends To Watch. A must read on the latest online social networking threats.
Tonight I received new friend request from someone named "Elysabeth" in my email. Clicking on the link in the email takes you to the legitimate MySpace Friend Request Manager page which shows the below request:
Clicking on the picture takes you to the profile of Elysabeth. Check out the picture of what the profile looks like now after clicking on the profile.
EDIT: I didn't edit out the MySpace profile URL in the picture so don't hit up the URL and click on anything if you don't want to risk being infected!
Notice anything strange...like the Windows Update notification pop up? Looks pretty real huh? Clicking anywhere on the first half of the page pops up the dialog you see on the right side to download a .exe file....some nice malware for you to install. Enjoy! (only on a Windows box.... :-) ) Interesting to note that by scrolling down the page past the malware banner it looks like a legitimate MySpace profile. My guess is that this profile was hijacked either through XSS or some other third-party application vulnerability...the real owner probably has no clue.
On a related note, I just read an article on how Paris Hilton and Lindsay Lohan just had their private photos downloaded because of a flaw in a Yahoo/MySpace widget. Looks like Yahoo/MySpace fixed this flaw pretty quickly tonight but it goes to show that third-party applications and widgets are another popular attack vector.
One more update...Mediaphyter posted a link tonight on the 10 Social Networking Security Trends To Watch. A must read on the latest online social networking threats.
New Facebook "Loophole" Found
Posted by: Tom
Saw this on Liquidmatrix today....
Some programmers in the UK created a Facebook application that could be downloaded by a Facebook user which would allow the programmers to view personal information even with the privacy settings changed. From the UK article:
"Details such as the date of birth, address and contact numbers of the user, and that of all their friends, can be seen by the creators and could potentially be stolen."
This shouldn't be a surprise to anyone. Facebook has very limited control over what third-party applications or widgets a user can install. Sure they have "terms and conditions" that must be followed...but as we all know those can be circumvented quite easily.
I recently created a Facebook profile to test the security for myself and I have found that the default security/privacy settings for your Facebook profile are pretty much wide open. This include having your profile hit by search engine spiders. The average user of Facebook will most likely ignore these settings and download those cool Facebook applications that their friends are using as well. :)
Some programmers in the UK created a Facebook application that could be downloaded by a Facebook user which would allow the programmers to view personal information even with the privacy settings changed. From the UK article:
"Details such as the date of birth, address and contact numbers of the user, and that of all their friends, can be seen by the creators and could potentially be stolen."
This shouldn't be a surprise to anyone. Facebook has very limited control over what third-party applications or widgets a user can install. Sure they have "terms and conditions" that must be followed...but as we all know those can be circumvented quite easily.
I recently created a Facebook profile to test the security for myself and I have found that the default security/privacy settings for your Facebook profile are pretty much wide open. This include having your profile hit by search engine spiders. The average user of Facebook will most likely ignore these settings and download those cool Facebook applications that their friends are using as well. :)