ShmooCon ’09: Fail 2.0

Nathan Hamiel and Shawn Moyer gave one of the best and most broadly-applicable talks this year, focused on attacking social networks. Odds are pretty good that if you’re reading this, you belong to one or more social networks. In their talk, Hamiel and Moyer weren’t looking to ridicule any particular socnet, although some certainly make it easier than others to do so; they were looking to raise awareness of socnet vulnerabilities in general. As you might expect, they succeeded.

A huge vulnerability with socnets is that by enabling the aggregation of content from more than a single site, attacks like cross-site Javascript hijacking and cross-site request forgeries (CSRF) end up being easy as pie (mmm, pie) to execute. Or, as the presenters put it, “Link to crap offsite = epic fail.” True dat.

Hamiel and Moyer also launched some “experiments” of their own; they were hesitant to describe these as 0days, but instead called them “featureibilities”, or design flaws. So, yeah, they’re jackin’, but they’re jackin’ socnets.

They presented examples of attacks on MySpace and LinkedIn, as well as examples of seriously dumb Twitter usage (like the congressman who twittered that he’d just landed in Baghdad…nice job paiting a bullseye on your back, Pal). The MySpace attack was a more technical attack, whereby you could force someone to show up as a friend. The LinkedIn attack was more of a true social engineering attack, with fake profiles of plausible people, resulting in the coughing up of information that people really wouldn’t want disclosed publicly.

The presenters went on to discuss a bunch of other socnet vulnerabilities, also mentioning the Firefox extension they're working on called CSRFblocker, whose progress you can follow at their site. (As an aside, you should check out the extremely interesting paper on drive-by downloads called “All Your iFRAMEs Point to Us”). They also showed how one can compromise certain AT&T DSL modems from Netopia/Motorola; more on that here. Again, way cool stuff.

If you use socnets (and you know you do), make sure to check out Hamiel and Moyer’s slides. And, when I ignore your request to install a Facebook app tagging me as the coolest person on FB, or the app where you want me to throw a dead cow at Tony Soprano, you’ll now understand why—social networks as threat vectors concern me. If I’m going to get pwn3d, I’m going to get pwn3d somewhere else.