CyberInsecure.com

Archive for the ‘Social Networks’ Category

A new Android app makes hijacking other people’s Facebook, Twitter, YouTube and Amazon sessions a breeze over private or open wireless networks. Called FaceNiff, the app is the work of a Polish programmer named Bartosz Ponurkiewicz and was apparently released on his website in mid-May.

“It is possible to hijack sessions only when WiFi is not using EAP, but it should work over any private networks (Open/WEP/WPA-PSK/WPA2-PSK),” the developer writes. FaceNiff requires root access on the phone in order to work properly. Root (admin) access is not enabled by default on most devices, but there are many tutorials and tools available to obtain it.

So far, the app can hijack sessions for FaceBook, Twitter, Youtube, Amazon and Nasza-Klasa, a Polish social networking service. It has been confirmed to work on HTC Desire CM7 (CyanogenMod 7), Original Droid/Milestone CM7, SE Xperia X10, Samsung Galaxy S (Galaxy S T-Mobile), Nexus 1 CM7, HTC HD2, LG Swift 2X, LG Optimus Black – original rom, LG Optimus 3D – original rom, Samsung Infuse.

Session hijacking, also known as side-jacking, involves attackers positioning themselves between users and websites in order to steal session cookies, the small text files stored in browsers so that services can remember authenticated users.

Session cookies can be placed into any browser to take control over the sessions they correspond to. This type of attack does not expose passwords, but does give attackers access to the victims’ accounts.

Firesheep, an extension for Firefox released last year is based on a similar concept and its availability led to major websites like Google, Facebook, Twitter and others to speed-up their SSL deployment plans.

At the moment, the only method to protect the transmission of session cookies over wireless networks is to encrypt them and this can only be done on websites that support HTTPS, a combination of HTTP and SSL/TLS.

Users are strongly advised to only log into websites that support HTTPS when connected over wireless networks. The HTTPS-Everywhere extension developed by the EFF can force HTTPS automatically on major websites.

FaceNiff app homepage: http://faceniff.ponury.net

Credit: Softpedia.com News

Online dating website PlentyOfFish has reset user passwords after hackers managed to extract people’s registration information by exploiting vulnerabilities in the platform. The dating site, which is very popular in Canada, UK and the United States, has over 145 million visitors a month and over 10 million registered users.

According to independent security journalist Brian Krebs, the compromise was first reported by an Argentinian hacker named Chris “Ch” Russó who demonstrated a proof-a-concept to him.

Russó has previously hacked into ThePirateBay.org and exposed vulnerabilities into the website. He views himself as a security researcher. The hacker claims that he is not the only one to have obtained unauthorized access to the PlentyOfFish database and that the site’s database is being circulated in the hacking community.

In a lengthy post on the company’s blog, PlentyOfFish founder Markus Frind tells a different story, one where Russó tried to force his company into signing a contract for security services with him.

Frind described Russó’s actions as harassment against his company, himself and especially his wife, whom the hacker called over the phone on several occasions.

“Plentyoffish was hacked last week and we believe emails usernames and passwords were downloaded,” Frind wrote in his original post. “We have reset all users passwords and closed the security hole that allowed them to enter,” he stressed.

In a later statement, the company noted that only 345 accounts had their password exposed, which would make it a relatively limited breach. It’s therefore not entirely clear if passwords were reset for the entire user base or only for those that have been confirmed as compromised.

If all users had their passwords reset, it might be the result of the introduction of a hashing algorithm, as this attack revealed that PlentyOfFish access codes were being stored in plain text, which is a major security oversight.

Credit: Softpedia.com News

It appears that a new worm is spreading by hijacking Twitter accounts and using them to advertise links to a drive-by download website. The attack starts with goo.gl shortened URLs being sent by users whose computers have already been infected by the new threat.

The links get changed as soon as Google suspends them for abuse. One goo.gl URL pointed to a page hosted on a compromised website belonging to a French furniture manufacturing business.

This page takes visitors through several redirects and eventually lands them on a drive-by download site that tries to exploit vulnerabilities in outdated versions of Java and Adobe Reader.

According to various reports, in addition to the compromised .fr website, an .it one has also been observed, which ironically belongs to a firm offering computer repair services. An interesting aspect about these websites is that both of them are entirely designed in Flash. We’re not sure at this point if this is just a coincidence or a pattern.

There is still no detailed analysis of the malware installed in case of successful exploitation. However, it’s pretty clear that it can hijack the Twitter accounts of people using the infected computers.

The rogue messages are sent through Twitter’s mobile site instead of the main Web interface, but this is probably done by attackers for convenience reasons. The behavior of hijacking accounts like this is reminiscent of the Koobface social networking worm, which also targeted Twitter in the past. However, at this point this is only speculation.

According to TechCrunch, Twitter is aware of the attack and is actively resetting the passwords of the compromised accounts.

Users are advised to be suspicious of goo.gl links that are posted with no other message attached; although this behavior might change.

Credit: Softpedia.com News

Facebook’s privacy rules aren’t as watertight as the company would have its users believe, after the Wall Street Journal uncovered that some of the social network’s most popular apps have siphoned off personal information to ad firms and internet tracking outfits.

According to the report, many Facebook apps have transmitted identifiable details about individual users to around 25 companies, in effect breaking the terms laid down by the Mark Zuckerberg-run website.

The privacy breach, which gives advertising and internet tracking firms access to people’s names, affects a huge number of Facebook app users. Worse still, the newspaper found that users whose profiles have rigorous privacy settings have also had their details exposed. It said that the 10 most popular Facebook apps, including Farmville and Texas HoldEm Poker, were transmitting users’ IDs to external firms.

Game Network Inc’s Farmville was found to also be transmitting personal details about a user’s Facebook “friends” to advertisers and internet tracking companies.

Facebook, which claims to have around 500 million users of its service, told the WSJ that the social network would bring in new tech to close the breach.

One company, RapLeaf Inc, was found to have linked Facebook ID details taken from apps to its own database of internet users, which it sells on to companies. RapLeaf insisted that the transmission of data hadn’t been intentional. “We didn’t do it on purpose,” the company’s biz development veep Joel Jewitt told the newspaper.

The company put out a separate statement at http://developers.facebook.com/blog/post/418 to its third-party developers that was part finger-wagging, and partly an assertion that the press had exaggerated the implications of sharing a UID.

Credit: The Register

According to a report from the XSSed Project, the vulnerability is located in the search script on dev.twitter.com and was discovered by a researcher calling himself “cbr”.

Following the disclosure, security researcher Mike Bailey has quickly put together a proof-of-concept exploit which forces a logged in Twitter user to post a rogue message from their account when visiting a maliciously crafted Web page.

The attack leverages the flaw to hijack the victim’s session cookie and use it to post a tweet on their behalf, but the researcher notes that other malicious actions could also be performed. “While I’m not collecting any data other than session cookies, and I’m discarding them once I post a tweet from your account, I could do much more,” the researcher writes.

Bailey’s example requires a button to be clicked in order to trigger the exploit, but this is not necessary and the same result could be achieved transparently. This means that the flaw, which at the time of writing this article is still unpatched, could be used to create a malicious XSS worm, that would rapidly spread across the micro-blogging website.

“I wrote this proof of concept in less than 10 minutes. These things are ridiculously easy to attack,” Bailey points out.

Cross-site scripting vulnerabilities stem from a failure to properly validate user input into forms and allows attackers to force websites into serving unauthorized code to visitors. This is actually the fourth serious XSS bug discovered on Twitter this summer, despite the website having confronted similar problems in the past and undergoing repeated scrutiny.

Client-side protection against XSS is available in several browsers. Internet Explorer and Google Chrome come with their own internal filters, while Firefox has the popular NoScript extension.

A bug in Facebook’s login system allows attackers to match unknown email addresses with users’ first and last names, even when they’ve configured their accounts to make that information private.

The information leak can be exploited by social-engineering scammers, phishers, or anyone who has ever been curious about the person behind an anonymous email message. If the address belongs to any one of the 500 million active users on Facebook, the social-networking site will return the full name and picture associated with the account.

“Facebook users have no control over this, as this works even when you have set all privacy settings properly,” Atul Agarwal of Secfence Technologies wrote Wednesday on the Full-disclosure security listserve. “Harvesting this data is very easy, as it can be easily bypassed by using a bunch of proxies.”

Exploiting the vulnerability is as easy as entering the email address into the Facebook sign-on page, typing a random password and hitting enter. To streamline the attack, Agarwal has written a PHP script that works with large lists of email addresses.

Over the past few years, Facebook has come under criticism for revealing too much information about its users. The data — which can include users’ birthdays, home towns and personal friends — can then be used by marketers, stalkers, and other ne’er-do-wells to invade the users’ privacy. The social-networking site has responded by giving users more control over who gets to see select pieces of user information.

Evidently, the name-to–email address extraction bug has been overlooked. We wouldn’t be surprised to see this fixed in short order.

Credit: The Register

A security researcher has discovered a vulnerability which can be used to force Facebook users into liking arbitrary pages. The type of attack is known as clickjacking and does not require any form of user confirmation.

The Facebook “Like” button allows users to share content they find interesting on the Web. The feature is meant to allow users with similar interests to easily find and connect to each other on the social networking website. The button can be integrated by webmasters into any page on their website via a special IFrame.

The bug was discovered by a 21-year-old student named Eric Kerr who documented it on his blog. Successful exploitation results in arbitrary content being added to the user’s Facebook News Feed, and at the time of writing this article the flaw was still active.

Kerr explains that a bug in the implementation allows potential attackers to trick users into Liking malicious pages without even knowing it. This can be accomplished by hiding the button on the page via CSS and attaching it under the mouse cursor using a bit of JavaScript.

In this way, regardless of where the user clicks on the page, they will always click on the “Like” button. The most important aspect of the attack is that it all happens transparently, without users seeing any warning that they are about to Like something.

This type of attack, which is known as clickjacking or user interface (UI) redressing, can allow for the creation of so called social networking worms – malicious messages that spread virally. The existence of such a vulnerability is worrying because Facebook scams abusing the Like functionality have been particularly active lately.

“More advanced versions might use cookies to detect when a user is returning so they can actually use the site after presumably clicking the like button. Other modifications might include detection on when a user clicks the invisible iframe so it is removed without the user knowing and browsing returns to normal,” Eric Kerr warns.

Credit: Softpedia.com News

Security researchers warn that multiple spam campaigns detected on Twitter over the weekend target users via replies on topics they employed in recent tweets. Most malicious links spread in this way lead to websites pushing DDoS-capable trojans controlled from Muslim countries.

British antivirus vendor Sophos warned on Saturday that phishing and malware-distribution attacks on Twitter were using the recent international debate concerning the Israeli blockade on Gaza as lure to trap sympathizers on both sides of the fence. Many of these spams pushed a dangerous trojan known as Bifrost, which, amongst other things, can be used to install additional malicious code remotely.

Chester Wisniewski, a security expert with SophosLabs Canada, announced today that Twitter malware-pushing attacks had since intensified in frequency. The spammers use a wide array of techniques, from linking directly to malware, to sending visitors to Web pages riddled with exploits or infected PDF documents.

“Unlike previous Twitter bots that follow many hundreds of users in the hopes that they will follow back, these bots are @ replying to people on topics they are using in their tweets. If you talk about Obama, they @ reply you with a message about Obama and a malicious link,” Wisniewski explains. “What surprises me is the range of exploits and malware being used. I have detected plain old trojans that expect you to install them, malicious Java code targeting vulnerabilities from the past year, malicious JavaScript redirects and poisoned document files,” he adds.

The researcher speculates that many of these attacks might be attempts from Gaza sympathizers to build botnets for Distributed Denial of Service (DDoS) purposes. This is because five of six malware samples distributed by these latest spam campaigns have command and control servers in Muslim countries like Morocco or Saudi Arabia. In addition, the fact that all samples are variants from the same malware family and all C&C servers are using the no-ip.biz DynDNS provider further suggest a connection between them.

One good piece of news is that spammers made no effort to obfuscate the malicious links via a URL shortening service. This should considerably make it easier for Twitter to block the attacks and identify the offending tweets that were already posted.

Credit: Softpedia.com News

A clickjacking worm that forced hundreds of thousands of unsuspecting Facebook users to unknowingly post spam messages on their profiles, rapidly spread through the social networking website over the weekend. The worm used catchy news headlines to lure its victims into the trap.

Clickjacking is a Web attack technique that involves hijacking users’ mouse clicks on a page (hence its name) and using them to trigger unauthorized actions. The attack is technically known as user interface (UI) redressing because it hides a clickable object, such as a button, by making it transparent and superimposing it over a non-dangerous looking one.

Though not new, the technique was only brought into the public attention last year, when reputed Web security researchers Jeremiah Grossman and Robert Hansen disclosed some critical attacks based on it. One of them allowed ill-intent hackers to turn on a computer’s Web camera and microphone by exploiting a bug in the Flash Player Settings Manager.

The latest Facebook worm seems to be a proof of concept, because it does nothing destructive and its only purpose is to propagate. The offending messages posted on its victims’ profiles are based on real and catchy news topics from the past several months. “LOL This girl gets OWNED after a POLICE OFFICER reads her STATUS MESSAGE”, “This man takes a picture of himself EVERYDAY for 8 YEARS!!”, “The Prom Dress That Got This Girl Suspended From School”, or “This Girl Has An Interesting Way Of Eating A Banana, Check It Out!” are some of the examples.

Clicking on the messages takes users to external pages hosted at blogspot.com, which only display a text that reads “Click here to continue.” However, clicking anywhere on the page abuses a user’s active Facebook session to publishing a spam message back to his profile.

“The trick, which uses a clickjacking exploit, means that visiting users are tricked into ‘liking’ a page without necessarily realising they are recommending it to all of their Facebook friends. […] If you believe you may have been hit by this attack, view the recent activity on your news feed and delete entries related to the above links. Furthermore, you should view your profile, click on your Info tab and remove any of the pages from your ‘Likes and interests’ section,” advises Graham Cluley, senior technology consultant at Sophos, who’s antivirus products detect this threat as Troj/Iframe-ET.

To protect themselves, Mozilla Firefox users can install and use NoScript, a browser extension, which includes protection against clickjacking attacks, amongst others.

Credit: Softpedia.com News

Facebook engineers are finishing a patch for a critical vulnerability that exposed user birthdays and other sensitive data even when they were designated as private, a security researcher said Wednesday.

The bug could be exploited by prompting a user to click on a link while logged into the social networking site, said M.J. Keith, a senior security analyst with Alert Logic, a provider of cloud-based intrusion detection systems. Attackers could then read, delete, or alter a victim’s profile page, including pictures and data that are set to be viewed only by trusted friends.

“I would assume that every single Facebook user [could] have [had] their Facebook page defaced or have exposed things about them,” Keith told El Reg. The bug “gives the attacker almost as much control as the user.”

At time of writing, much of the CSRF (cross-site request forgery) bug appeared to have been patched, Keith said. However, attackers still could exploit the flaw to control a user’s “like” functions, which are used to endorse ads and other types of content.

The flaw involved a piece of code Facebook engineers dubbed “post_form_id,” which is used to ensure that commands can be issued only by browsers that have previously logged into the website. Keith discovered a simple way to bypass the security token: by omitting it altogether, Facebook servers no longer attempted to validate browsers.

Facebook representatives didn’t respond to questions about the status of the bug fix.

It’s at least the second glitch to compromise Facebook user privacy this month. Nine days ago, Facebook had to temporarily disable the site’s live chat function to contain a bug that allowed users to eavesdrop on their friends’ conversations.

Credit: The Register