||[Feb. 17th, 2010|03:10 pm]
I just got hit by a facebook app worm :)
For those of you that aren't on facebook - here are some key things about it.Facebook sends you a "notification" when something interesting happens - like someone "liking" a photo of you, or commenting on something you did or said. Facebook also has a system of third party "apps", that can also send notifications and generally do anything that you can do, in your name. Usually these apps are things like "Farmville" and so on - silly little games that make use of the social network. They're very popular - but I tend to ignore them.
Today, I got a facebook notification that said "$FRIENDSNAME likes your photo". Only, you know, with a real friends name...
This is normal - I have some photos on facebook, and it's not unusual for my friends to like them. The usual procedure on being notified that someone likes your photo is to click on the hyperlink "your photo" to see which photo it was that they liked. I did that, and was asked if I wanted to give the "Like" app permission to access my profile.
Well, facebook used to have a bunch of built in functions that they later abstracted out into apps - I remember the transition. One of those functions was what is now the "photos" app. And they've just upgraded the whole UI again, so it seemed plausible that "like" had previously been a builtin, and had now been abstracted into an app that I needed to give permission to. Stupid, but plausible.
As it turned out, the app "Like" wasn't written by facebook at all- it was a third party app. The hyperlink in the notification wasn't a hyperlink to a photo, but to the app install page. Giving permission
on that page allowed the app to install and run, whereupon it spammed 27 of my friends with identical notifications "Totherme likes your photo", and then redirected my browser to some commercial webpage. (does anyone know if 27 is some kind of limit placed on the number of notifications an app can send out simultaneously? To prevent spam, perhaps?)
Of course, I immediately backtracked to facebook, and posted a status update warning others not to give permissions to the Like app. And then I went and removed its permissions from the app in my settings. I
also reviewed the app in question, giving it the minimum possible score and the review "It's a worm". There may be other apps doing essentially the same thing - I've seen friends post about "my_virtual_a" among other things, but it seems that the folk that were notified from my account have seen the same notification I saw - the "Like" app.
In the meantime, it may have harvested some of my personal data. There's nothing of real value in there, because I always suspected that facebook might be a bit insecure. I suppose I might get some more spam to one
or two of my email addresses now. On the other hand, I believe that some people store some kind of payment information in there, for buying silly valentines and things. So, the problem's potentially a bit more serious than just a new vector for some annoying spam.
So, what's the security hole? Is it my fault for giving permission to the app? Or is it to do with the software? Or with the whole concept of social networks generally? You could partially plug it by having the permissions page prominently say who wrote the app - I like to think that I personally would be less likely to give perms to an app that was obviously not written by facebook. But not everyone would get that. Maybe the problem is partially that I expect facebook to be just a bit crap - it didn't surprise me that I had to grant perms to something I already used. Maybe the problem is that the app name "like" was free for a third party to use? But would you like to come up with the list of banned app-names? Maybe apps should have less freedom in the notifications they can send out? "$FREINDSNAME likes your photo" looks the same whether it's FB or some third party sending the notification. And the URL is a hashed and pretty anonymous facebook-redirect rather than an obvious photo URL - so my usual safe-browsing habits don't help at all there. Maybe the mechanism for sending notifications should always involve a dialog box popping up which makes clear what's being sent, and who to? That'd make doing normal things on facebook quite a bit more clunky - people might well just get in the habit of clicking "yes" to every single one, leaving us back where we are now.
I think it's a fun set of questions anyhow. Any of you lot got any interesting thoughts?
ETA: Or perhaps we really just want to remove consequential things like money from facebook, and live with an insecure system that worms occasionally navigate? I mean, people still hang around in forums where rickrolling and other annoyances are rife - it's just less annoying to those users than the alternatives. What do you think? Are you willing to live with the occasional facebook worm if it means you can have a social network that looks like the one we're all familiar with (without any of the more irritating security measures I'm suggesting here) ? How annoying or damaging do the worms have to get before you'd rather avoid facebook altogether?
Is it my fault for giving permission to the app? Or is it to do with the software? Or with the whole concept of social networks generally?
Yes, yes and yes to those.
In which case, the question becomes "are we more interested in stopping the worms, or in keeping the network?" - I've edited the main post to that effect :)
It has to be said that as a facebook avoider (tried it, hated it) I'm probably not your target audience for this post :)
I work on the principle of minimum access only to maximally trusted organisations. I don't give details to an organisation which is going to treat data security in the way Facebook always has (i.e. a totally cavalier approach). I give my details (depending on sensitivity) to a minimum of organisations, and only give out particularly sensitive details to a select few.
This is why I'm so pissed off with Google for the whole Buzz fiasco and am actively looking at alternative systems to gmail (I'm willing to pay money not to be troubled by that crap to be honest). I may not find any, but I'm looking, and if I *do* come across a worthwhile system I'll be deleting my gmail account.
I wrote about Facebook apps in November:http://johnckirk.livejournal.com/288600.html
Basically, I think that their whole security model is flawed, because they have no concept of "least privilege". As a developer, there's no way for me to limit the amount of info I get, I just have to ignore the irrelevant stuff. I'd like to see something like the UAC prompt in Windows, where you'd get a different prompt before an app sends messages to your friends; some apps already do this voluntarily, e.g. challenging friends to quizzes or publishing Flixter reviews on your profile page.
Regarding the author, this app shouldn't be completely anonymous. I had to register as a developer last year, so Facebook should be able to track down the person who wrote it based on their ID; there's no need for digital signatures here.
As for spam, I know a couple of people who had their Facebook accounts hacked recently, i.e. someone was able to guess their password. One guy said that it sent messages to everyone whose name started with "A", so that does imply that there's a limit to the number of people a rogue app can contact in one go.
I agree with the least privilege thing - a smarter and finer grained system might help. I don't know how much it'd help, since many users aren't likely to be able to distinguish between the different levels of permission they give to different apps, but I think it'd at least help a bit.
Yes, the app author isn't anonymous. What I was complaining about above was that the app author wasn't immediately obvious to me at the moment I was clicking "Yes, give permissions to this app". On my android phone whenever I install an app, I get a screen which says "the app called X, written by Y wants permission to do Z". If Y is google, then I'm fairly confident it's not malware.
And yeah, I noticed that I wasn't able to send a single message to everyone that the worm notified. The limit on the number of people that can be notified at once seems to be higher than the number of people that can be messaged at once.
The apps may not be anonymous, but FB seem to do little about apps that are known to be hacked (e.g. Farmville was "outed" as as doing some rather dodgy things recently and yet FB didn't seem to respond in any obvious way - certainly Farmville is still available)
One fun option might be for facebook to prominently show reviews by people on your friendslist when an app's asking for permissions. That way anyone who was thinking of giving perms to "Like" would have my "It's a worm" review staring them in the face.
And of course, that's not even a "security measure" - it's a handy feature that you might want anyway.
I think part of the problem is facebook's obsession with UI "upgrades" (i.e. redesigning and making everybody relearn the whole blooming website). You installed "like" because you thought FB was being numptyish again, and it turned out it wasn't, but someone had used social engineering to make you think it was.
I refuse to use *any* application, because I can't tell whether they're part of FB or not. I use it as a minimal tool for certain things. It has its place but mostly it's a pain.
I had always thought of myself as someone who doesn't use facebook apps. That's one of the things that impresses me about this bit of social engineering - it was just convincing enough, for just long enough, to make me think that it was part of facebook, and not really an app.
I'll clarify - I don't use any app that isn't turned on by default. If it's part of facebook, but it looks app-like, I don't use it.
First, I am Jann. I joined this evening because I have nothing better to do than add another 'community' to my day! But after reading through posts, I think I am really going to enjoy it.
I want to add something about a different Facebook worm. Or it may be a variant of Koobface or whatever the latest one is. One of my daughter's friends got in his messages and written on his wall a hyperlink that only slightly resembled something someone would send to go see at YouTube. So, like the YouTube freak he is, he clicked on the hyperlink.
Don't ya know, the worm sent out that link to everyone on his friends' list. Not only that but he lost control of his account. But still maintained his password so he suspended his account. Pshaw! It didn't take an hour for that worm to invade his page again and again and again.......It doesn't help that several of his friends opened the link.
I do not participate in any of the apps on FB, they are mucked up in glitches anyhow. I use it to keep in touch with my family and friends. And I never, and I mean NEVER, open anything, I don't care if it came from one of my dogs. I got my first virus in 1996 and I was new and it took me forever to get it off on my own. So I am mega-cautious.
Long-winded enough? I agree with gaspodog. However, I have not had one problem on either Facebook or MySpace.
2010-06-17 07:46 am (UTC)
I've Been Hit With This Too
I can't believe that Facebook has allowed this to happen. I mean, they should have their users online safety at heart.
Not happy but will still keep on visiting FB
Thanks for the warning, I usually trust this kind of messages, that's what makes this warm dangerous. I am sure there are lots of Facebookers in the exact same situation right now. Can you tell if a cloud Security
software would help in this kind of situations? I'd appreciate any advise!