Facebook botnet risk revealed

September 6, 2008 – 5:07 PM

Researchers have created a proof-of-concept application for Facebook that turned the machines of people who added the app to their Facebook page into a botnet that launched denial-of-service attacks on a victim server in a demonstration.

“Social Network Web sites have the ideal properties to become attack platforms,” according to a paper entitled “Antisocial Networks:Turning a Social Network into a Botnet,” that was authored by five researchers from the Institute of Computer Science in Greece and one from the Institute for Infocomm Research in Singapore.

The demo application, called Photo of the Day, displays a new photo from National Geographic every day. However, every time someone views the photo, the host computer is forced “to serve a request of 600 Kbytes,” according to the paper.

Such a botnet could be used for other types of attacks, such as spreading malware, scanning computers for open ports and overriding authentication mechanisms that are based on cookies, the paper warned.

The researchers suggested that Facebook and other social networks be careful in designing their platform and APIs so that there are few interactions between the “social utilities they operate and the rest of the Internet.”

“More precisely, social network providers should be careful with the use of client side technologies, like JavaScript, etc,” the paper says. “A social network operator should provide developers with a strict API, which is capable of giving access to resources only related to the system. Also, every application should run in an isolated environment imposing constraints to prevent the application from interacting with other Internet hosts, which are not participants of the social network. Finally, operators of social networks should invest resources in verifying the applications they host.”


You must be logged in to post a comment.