RSS Alerts

Related Links

Related Stories

  • Facebook and McAfee team up on security
    Facebook has signed McAfee as a supplier to help protect its user base. The two companies have worked on a custom scanning and repair tool, along with education materials that will target the social networking giant's 350 million users.
  • Facebook shuts apps privacy loophole
    Facebook has amended its privacy practices and policies to give users more control over the information they keep on the social networking site, following a report from the Canadian Privacy Commissioner.
  • Advice for safer access to Facebook, Twitter, and other social networking sites
    As many readers of Infosecurity may have noticed, Web 2.0-driven social networking sites like Facebook and Twitter have become attractive targets for phishing and scamming attacks as online criminals follow the latest internet trends that are attracting the most users.
  • Facebook plugs hole in profile security
    Facebook has plugged a major security hole that researchers say enabled any member of the site to view other users' personal information.
  • Facebook applications exposed as security risk
    Speculation on the security of social networking has increased amid reports that applications on Facebook are capable of collecting personal information.

News

Facebook users plagued by rogue application

29 January 2010

Facebook was plagued by security and privacy issues both real and imagined in the last week, as a real-life worm battled with an imaginary one in a competition to see which could petrify the service's users the most.

Facebook was hit by a worm that rapidly replicated itself across users' accounts, at the same time as a development bug in the system scared users into thinking that they had been infected by malware. The real worm showed up as a status update from an infected contact, with the message "My ex-girlfriend cheated on me...Here is my revenge!" The developer used CSS to trigger the 'share' event automatically when the message is clicked, according to Facebook blog allfacebook.com. Anyone clicking on the message had it automatically copied to their own status update.

Users are advised to change their usernames and passwords, if they were unfortunate enough to have clicked on the link.

"This is an example of clickjacking, where a website contains embedded code that causes an action to be taken through the browser without the user’s knowledge or permission", Facebook told Infosecurity. This problem isn’t specific to Facebook, but we’re always working to improve our systems and are building additional protections against this type of behavior."

"We’ve blocked the URL associated with this site, and we’re cleaning up the relatively few cases where it was posted (something email providers, for example, can’t do)", Facebook added. "Overall, an extremely small percentage of users were affected."

The worm appeared shortly after a confusing 'rogue application' emerged, worrying Facebook users. The application, which has no name, appeared to add itself to peoples' accounts without their consent, according to reports from worried Facebook users.

"I have an application called the Unnamed App that has been added to my profile without my consent," posted one user. "Is this something that Facebook added automatically? I saw on a friends status update that it could be spyware...is this true?"

"This was a bug, which we have now fixed," said Facebook on its security page. "It did not damage any accounts. Be wary of any sites that claim to be able to fix this, as they might contain malicious software."

The bug in the Facebook user interface made a normally hidden system tab visible in the browser. The system tab holds Boxes from applications that Facebook users don't want to appear on their regular profile page.

Online criminals were quick to create malicious pages designed to poison search engine results delivered to users trying to find information on the subject.

In yet another problem for Facebook, reports emerged of a new and more serious privacy bug in the new Facebook Application Dashboard, which the company will roll out to its user base in the next few weeks. It was possible for users to view the latest applications that their friends have been using, said reports. The application and games dashboards have been made available in beta form for Facebook developers to test their applications, prior to a wider launch.

 

This article is featured in:
Application Security Internet and Network Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Copyright © 2010
Elsevier Ltd. All rights reserved.
Terms & Conditions | Privacy | Website Design Working with water