August 25th, 2008

The ugly truth: Satan, social networks and security

Posted by Jennifer Leggio @ 7:02 am

Categories: Facebook, LinkedIn, Microblogging, MySpace, Reputation and Privacy, Security, Social Business Analysis, Social Media, Social Media Best Practices, Social Media and Security, Social Networks

Tags: Social Networking, Black Hat, Network, App, MySpace, SocNets, SocNet, Security, Jennifer Leggio

To us, then, the most obvious route to mass exploitation via a SocNet seems to be creating an app that gains a large installed base, waiting a few months, and then “going rogue” and delivering a malicious payload. A trojaned SocNet app is especially effective since it doesn’t actually require a user have the app installed, just that someone views the profile of a user with the app installed. So, an evil app doesn’t just make it possible to attack each user that installs it, but also (because of the interconnectedness hardwired into a SocNet), every connection (and potential connection) the victim might have.

The funny thing to us about how astoundingly bad SocNet Apps are from a security perspective (without even touching on the laundry list of problems in even legitimate apps themselves, as detailed very well by TheHarmonyGuy) is how little the defenses SocNets have built take this attack surface into account. As attackers, why do we care if Javascript is stripped from comments, if apps run in a separate execution domain, if all requests are tokenized against CSRF? We can just compromise the client, via a trojaned application, and have full control of the desktop for any purpose we wish.

Which brings us to an interesting point. The security architecture around SocNet apps does do one thing quite effectively. It protects the apps themselves from the SocNet providers. Unless Same Origin isn’t enforced by client browser, ultimately an evil app can’t directly attack the SocNet itself, because apps are sandboxed away in a different execution domain. This does little to protect the user from the app, but it does a lot to provide plausible deniability while still allowing developers to create (and users to install) SocNet apps, which (EULAs notwithstanding) appear to have a defacto endorsement from the SocNet and execute on the user’s profile page as a component of the user experience.

Ugly things further enumerated: offsite content = Fail
For sites that allow HTML markup, image tags, custom stylesheets, and arbitrary linking to external content in comments or in profiles, it’s pretty much game over. The SocNet is placing the trust for where the browser goes and what it does in the hands of an external party. This could be used in many different ways, from the straightforward route of linking to malware like the recent comment spam posing as a Flash update, mentioned earlier, is doing, or in more subtle ways like silently surfing other sites for click fraud, or installing malware in the background.

Many sites restrict obvious things like inserting “<SCRIPT>” tags, but there are scads of ways to get content inserted, so allowing users control of both markup and arbitrary offsite content seems like a surefire recipe for failure. A quick (and very much incomplete) hall of shame here includes MySpace, LiveJournal, and Hi5, all of which we’re surprised haven’t sunk into the East Bay under the weight of their own pwnability. Nathan went into some further detail on his blog about using offsite content on SocNets for request forgery, specific to MySpace, so take a peek if you’re interested in more detail.

Ugly things that won’t improve any time soon: The Culture of Trust
A final source of exposure is one that isn’t entirely the fault of SocNets (though a pervasive culture of information sharing is certainly baked in to their business model) — it’s the users themselves. And ultimately this is a tough one to solve. We don’t sign on to SocNets to lurk and be unapproachable, we sign on to find friends, communicate, and interact, which makes being part of a SocNet so addictive, but it’s also why any SocNet attack that integrates a Social Engineering component or utilizes “trusted” connections as a vector is very likely to be effective.

Our recent impersonation exercises on SocNets have been documented ad infinitum, so there’s not much point in beating a dead horse. Suffice it to say that if you haven’t personally contacted and spoken face-to-face with everyone on your connection list, right now may be a good time to confirm that none of them have, for instance, horns and a vestigial tail.

Shawn Moyer and Nathan Hamiel are both senior security consultants, but for two different consultancies. They worked together briefly for the same client and spent some time planning the apocalypse and presented the talk “Satan is on my Friends List: Attacking Social Networks” at Black Hat and Defcon a few weeks back. They can be reached on a number of SocNets, or emailed at zdnetbloggything [at] agurasec døt cøm.

Pages: 1 2