CyberInsecure.com

Archive for the ‘Social Networks’ Category

Already besieged by complaints of shoddy user privacy, Google Buzz is susceptible to exploits that allow an attacker to commandeer accounts and even learn where victims are located, a security researcher said Tuesday.

The XSS, or cross-site scripting, vulnerability is unusual because it affects google.com, the domain that sets authentication cookies for a variety of popular Google services, including Mail, Calendar and Documents. That means an attacker might be able to hijack victims’ account simply by tricking them into visiting a booby-trapped link.

What’s more, the vulnerability ties into to the much-vaunted Google Location Services, making it possible for the attacker to learn the geographical location of users who have already opted in.

“It’s a pretty nasty vulnerability, actually,” Robert “RSnake” Hansen, CEO of secTheory.com, said. “If you’ve already agreed to that before being exploited, which most people will do, then the attacker also gets to know your location.”

The vulnerability is the result of web applications that fail to adequately scrutinize user input for malicious commands that inject unauthorized content and javascript into browsers visiting google.com addresses. The vulnerability, which Hansen said was reported by a hacker known as TrainReq, is also notable because it works over the SSL, or secure sockets layer, protocol.

The resulting “https” and “google.com” included in the address is likely to lead some victims into believing the address is safe, he said.

Over the years, Google engineers have done a good job at fortifying the site against XSS flaws. In the rare instances the bugs get through, Google personnel are usually quick at stamping them out once they’ve been reported.

Credit: The Register

A popular Twitter service called Twitter Grader was hacked yesterday causing thousands of unauthorized tweets to be posted from the accounts of its users. Twitter Grader, which is normally available from grader.com along with other free grading applications, allows Twitter users to see how influential they are on the micro-blogging platform. The service is developed by an Internet marketing company called HubSpot.

The company’s founder and CTO, Dharmesh Shah, was completely taken by surprise yesterday when Twitter Grader users, including himself, started posting a strange message on their feeds. The unauthorized tweets contained a link to a 2006 video of Biz Stone promoting the micro-blogging platform.

Rik Ferguson, solutions architect at antivirus vendor Trend Micro, analyzed the message and concluded that, “The link that has been endlessly tweeted by grader users does not appear to host any malicious content.” The researcher also launched a possible explanation for the attack. “The domain name of the destination site [seonix.org] however might give us a clue to the motivation behind the attack. Seonix presumably refers to Search Engine Optimisation and perhaps that is the real purpose of this attack,” he wrote.

Access to the entire grader.com domain has been temporarily suspended until the issue is addressed and all applications are moved to more secure servers. The company also stresses that customers of its commercial services have not been affected, as these are hosted on a different infrastructure. Additionally, the usernames and passwords of Twitter users have not been compromised, because the Twitter Grader service used OAuth, a technology that doesn’t require login credentials.

The responses to the official blog post about the attack are overwhelmingly favorable, commending the company for its openness and seriousness in handling the incident. “Ladies and gents, is an object lesson in how to deal with an event like this. Much respect to HubSpot,” Rik Ferguson wrote, while an executive officer with a different company noted that, “How you handled it […] should be a lesson (case study?) for others.”

Credit: Softpedia.com News

Twitter has lifted the lid on its recent advice to many users to reset their passwords for the micro-blogging site.

Originally, it was thought that the guidance had come in response to a common or garden phishing attack. In a post on Tuesday, Twitter explained that the attack was actually far more devious and elaborate.

Hackers established Torrent user sites and forums with hidden backdoors. They waited for these forums to grow in popularity before they harvested login details.

These login credentials were then used in attempts to break into accounts on third party sites such as Twitter. The attack relied on the frequent mistake of using the same password and user ID combination for multiple sites.

In other words, victims are using the same password/userID combo on warez forums and Twitter, a mistake that left them open to attack because unidentified hackers had backdoor access to these forums.

Twitter detected the attack after it became suspicious of a “sudden surge in followers” to two previously obscure accounts last week. Followers of these accounts were advised to change their passwords over concerns that hackers involved in the attack had compromised their accounts to, err, gain more followers on Twitter.

It’s unclear how many profiles were pwned by the attacks or what other sites might have been involved. All might have been prevented via the use of rudimentary password security precautions.

“The takeaway from this is that people are continuing to use the same email address and password (or a variant) on multiple sites,” writes Del Harvey director of Trust and Safety at Twitter. “We strongly suggest that you use different passwords for each service you sign up for,” he adds.

Credit: The Register

Cybercrime affiliates of unlicensed pharmaceutical websites have begun moving on from attacks purely designed to poison Google search engine results, and are now targetting Microsoft’s web properties.

Search engine poisoners are actively making use of Microsoft’s Windows Live Spaces blog hosting environment, net security firm eSoft reports. Miscreants are creating accounts which they use only to push links to the pharma-fraud sites. As a result the search engine ranking of these spamvertised sites is pushed up.

In addition, spam emails contain the URLs of fake blogs, from which surfers are redirected onto penis pill sites. The tactic is designed to evade spam filters that might already have blacklisted the fraudulent website.

The misuse of fake blogs on Live Spaces is a refinement of the well established practice of link spamming: posting “comments” on legitimate blogs that supply links to dodgy pharmaceutical websites and the like.

Attacks similar to the Live.com blogspamming for fraudulent pharmacy sites have also recently been thrown against both Yahoo and Blogger sites, eSoft adds. The security firm adds that the recent Google job spam scam also infiltrated Microsoft’s Life Space environment.

Whatever the distribution method, its clear these cybercriminals will continue to evolve new ways of advertising their bogus sites. An alert by eSoft containing screen shots of the fake pharma punting blogs that have begun affecting Live Spaces can be found here.

Credit: The Register, Threat Center Live Blog

Millions of user passwords to social networking sites have been exposed, after a serious SQL injection flaw on the Rockyou.com website left login details - stored in plain text - up for grabs.

RockYou - which develops apps for social networking sites including Facebook, Bebo and MySpace - stored usernames, passwords and email addresses in plain text. That’s bad enough in itself, but then an SQL injection flaw on RockYou’s website exposed the information to prying eyes.

Amichai Shulman, chief technology officer with the data security firm Imperva, said the passwords exposed will often be the same as those users utilize for webmail accounts associated with their social networking profiles, creating yet more potential problems.

The first issue is that RockYou attempted to downplay the entire incident, first by covering it up by not notifying users and then downplaying it in an official statement as being an issue that only affected ‘older’ applications. The hacker responsible for the initial breach published a small portion of the dataset he had retrieved and was able to show that not only did he have access to their entire database, but also passwords were stored in the clear. This matter now appears worse than originally suspected as the dataset also contains a table where RockYou have stored user credentials for social networks and other partner sites.

The database consists of a table containing partner data, and another table that has stored the credentials for those partner sites that users have entered. This includes social networks such as MySpace but also webmail accounts.

The initial exploit took advantage of a trivial SQL injection vulnerability, a technique that has been well documented for over a decade. The method of vulnerability is extremely basic in execution, yet catastrophic in impact – which RockYou, and the sites users, are now learning the hard way. It is more of a surprise that this had not happen sooner – as the RockYou platform is a swiss cheese of security vulnerabilities and poor practices.

“The bad news is that the SQL injection flaw could have allowed hackers to access the 32 million entries of user names plus passwords in the Rockyou.com database… since the user names and passwords are by default the same as the user’s webmail account — such as Hotmail, Yahoo or Gmail — this is a major lapse in security,” Shulman said.

“Unfortunately some accounts had already been compromised before the vulnerability was fixed,” Shulman said. “All users need to be cautious and ensure they change their email passwords as their credentials may have been put at risk.”

It’s unclear why RockYou left passwords on its systems without encrypting them in the first place. We dropped a note to the developers asking for a response on this point on Tuesday, but are yet to hear back. We’ll update this story as and when we know more.

RockYou has reportedly fixed the issue, but this may have come too late for some.

Credit: The Register, TechCrunch.com

Facebook is urging its 350 million users to open their kimonos to the entire internet as part of its revamped security settings.

Unveiled on Wednesday, the social network’s new privacy controls are designed are to expose a user’s personal data - including status updates, posted content, and details about friends and family - to everyone on the wild, wild web.

Facebook says the freely-shared data “makes it easier for people to find and learn about you” — but critics claim it’s a actually ploy to drive up Facebook traffic by getting more of its pages cataloged by RSS feeds and search engines.

Starting now, when a current user logs into Facebook, they will be asked to review and update their privacy settings. Users are then prompted to make changes to who (and what) is allowed to ogle various sections of their profile and postings.

It should be noted that users under 18 are restricted to sharing details with Facebook friends no matter which options they select.

Credit: The Register

The attack began when a victim encountered the image of the near-naked woman on a friend’s profile page along with the words “Want 2 C something hot? Click da button, baby!” Facebookers who took the bait - and were logged in to their accounts at the time - found their profile pages were updated to include the same image. The more people who fell for the come-on, the more the come-on was presented to new potential victims, giving the attack a viral quality.

Researchers who first spotted the ruse attributed it to a CSRF, or cross-site request forgery, vulnerability on Facebook’s site. A spokesman for the social networking site disputed that explanation, saying the attack was really the result of clickjacking.

“This problem isn’t specific to Facebook, but we’re always working to improve our systems and are building additional protections against this type of behavior,” Facebook spokesman Simon Axten wrote in an email. “We’ve blocked the URL associated with this site, and we’re cleaning up the relatively few cases where it was posted (something email providers, for example, can’t do).”

Clickjacking is a vulnerability at the core of the web that allows webmasters to trick users into clicking on a link they didn’t intend to. The exploits are pulled off by superimposing an invisible iframe over a button or link. Virtually every website and browser is susceptible to the technique. Websites that accept user-generated content make especially potent launch pads for such attacks.

This latest attack is a reminder that it’s often impossible to know where a given link will lead, even for careful users. Indeed, Gadi Evron, one of the security researchers who first spotted the exploit, confessed to having his Facebook page briefly display the image after first encountering it on a friend’s page.

“This shows that even experts can become complacent and trust systems when they really shouldn’t,” he wrote.

Facebook administrators have already blocked the clickjacking exploit.

Credit: The Register, AVG Blogs

The Koobface botnet has pushed out a new component that automates the following routines:

Registering a Facebook account
Confirming an email address in Gmail to activate the registered Facebook account
Joining random Facebook groups
Adding Facebook friends
Posting messages to Facebook friends’ walls

Overall, this new component behaves like a regular Internet user that starts to connect with friends in Facebook. All Facebook accounts registered by this component are comparable to a regular account made by a human. The details provided about the account are complete such as a photo, birth date, favorite music, and favorite books, among others. In addition, every account registered is unique in such a way that the details vary for every account registered.

Koobface accomplishes these malicious activities by automating Internet Explorer to perform the task of creating and registering an account. However, it does not proceed and will terminate the process if the affected user is using Internet Explorer 6. Moreover, it employs a check if it has already reached the maximum friend requests set by Facebook or not. Hence, it keeps itself under the radar and does not cause any alarm to Facebook administrators.

The messages posted through Facebook’s wall contain a link that leads to the usual fake Facebook or YouTube page hosting the Koobface loader component.

Facebook users are advised to be careful and security conscious. For more tips on using Facebook, users may opt to visit Facebook’s safety and security pages: http://www.facebook.com/safety and http://www.facebook.com/security.

Credit: Trend Micro Malware Blog

Hundreds of Facebook groups have been hijacked in recent days by users pointing out what they say is a weakness in how the social-networking site handles the administration of its groups. By Tuesday morning, 286 groups had apparently been renamed Control Your Info and had a new message posted to their walls.

“Hello, we hereby announce that we have officially hijacked your Facebook group,” the message reads. “This means we control a certain part of the information about you on Facebook. If we wanted we could make you appear in a bad way which could damage your image severly [sic].”

According to Control Your Info, when Facebook group administrators step down, anyone else can take over their duties — giving them access to members’ personal information, the ability to send messages to all members of the group and the authority to make changes to that group.

“For example we could rename your group and call it something very inappropriate and nasty like ‘I Support Pedophiles’ Rights,’ ” the message continued. “But have no fear. We won’t.”

Among the groups renamed “Control Your Info” on Tuesday were a “Twilight” fan group, supporters of a high school football team and patrons of a Virginia winery.

In a statement, Facebook said no confidential information has been placed at risk.

“The groups in question have been abandoned by their previous owners, which means any group member has the option to make themselves an administrator in order to continue communication to the group. Group administrators have no access to confidential information and group members can leave a group at any time,” said a Facebook spokesperson.

“For small groups, administrators can simply edit a group name or info, moderate discussion, and message group members. The names of large groups cannot be changed nor can anyone message all members.

“In the rare instances when we find that a group has been changed inappropriately, we will disable the group,” the spokesperson said.

The names of two Facebook users who have posted Control Your Info messages after group takeovers — Janis Roukkos and Bella Roregit — did not appear to have active Facebook accounts by mid-morning Tuesday.

A message on Control Your Info’s Web site blamed Facebook for shutting down the group’s fan page. Members of the group could not be reached for comment Tuesday.

The group, which offered only a YouTube account as contact information, disagreed with calling what it had done “hacking.”

“This isn’t some kind of scare tactics, nor is it a hack, it’s a feature that can be used, and is being used, in bad ways,” the post reads. “Remember, control your info! Also, this project is strictly not for profit and done for a good cause.”

The group’s site contains pages of tips on protecting social-network users’ private information.

Not all members of the groups that were hijacked were taking the stunt in the spirit it was apparently intended.

“It’s pretty inappropriate and [expletive] you hijacked a facebook group for Palestinian rights to selfishly promote your little conspiracy theory page,” one user wrote. “I reported this to facebook and others should too.”

Credit: CNN.com Technology News

Facebook and MySpace have closed gaping security holes in their sites that gave attackers full access to accounts that had automatic-login features enabled.

The vulnerabilities were significant. Because the unauthorized access would be mapped to the victim’s IP address and website cookie, the intrusions would be virtually untraceable. Attackers were then free to upload photos and messages designated as private with no indication at all to the victim.

Facebook and MySpace closed the backdoors shortly after being notified, a marked improvement from the past, when the sites sometimes allowed serious security holes to persist for months. Still, it probably shouldn’t have taken an outsider to discover the bug. This is the latest episode to demonstrate that the only sure way to ensure that data is private is to keep it off social networking sites altogether.

The backdoors were the result of a misconfiguration of a crossdomain.xml, a file websites use to share content using Adobe Flash across domains. Some of the domains that were accessible exposed authentication tokens for accounts that had the auto-login feature turned on.

Facebook developers had blocked access from the main domain, but didn’t bother to notice the sensitive data was accessible when Facebook subdomains were used. MySpace similarly locked its front door but left a window at farm.sproutbuilder.com, which had full access to the data.

The holes could be exploited by luring victims to sites that had a Flash application installed designed to grab the authentication information, the developer said.

Credit: The Register