totherme (totherme) wrote,
totherme
totherme

Facebook worm.

I just got hit by a facebook app worm :)

For those of you that aren't on facebook - here are some key things about it.Facebook sends you a "notification" when something interesting happens - like someone "liking" a photo of you, or commenting on something you did or said. Facebook also has a system of third party "apps", that can also send notifications and generally do anything that you can do, in your name. Usually these apps are things like "Farmville" and so on - silly little games that make use of the social network. They're very popular - but I tend to ignore them.

Today, I got a facebook notification that said "$FRIENDSNAME likes your photo". Only, you know, with a real friends name...

This is normal - I have some photos on facebook, and it's not unusual for my friends to like them. The usual procedure on being notified that someone likes your photo is to click on the hyperlink "your photo" to see which photo it was that they liked. I did that, and was asked if I wanted to give the "Like" app permission to access my profile.

Well, facebook used to have a bunch of built in functions that they later abstracted out into apps - I remember the transition. One of those functions was what is now the "photos" app. And they've just upgraded the whole UI again, so it seemed plausible that "like" had previously been a builtin, and had now been abstracted into an app that I needed to give permission to. Stupid, but plausible.

As it turned out, the app "Like" wasn't written by facebook at all- it was a third party app. The hyperlink in the notification wasn't a hyperlink to a photo, but to the app install page. Giving permission
on that page allowed the app to install and run, whereupon it spammed 27 of my friends with identical notifications "Totherme likes your photo", and then redirected my browser to some commercial webpage. (does anyone know if 27 is some kind of limit placed on the number of notifications an app can send out simultaneously? To prevent spam, perhaps?)

Of course, I immediately backtracked to facebook, and posted a status update warning others not to give permissions to the Like app. And then I went and removed its permissions from the app in my settings. I
also reviewed the app in question, giving it the minimum possible score and the review "It's a worm". There may be other apps doing essentially the same thing - I've seen friends post about "my_virtual_a" among other things, but it seems that the folk that were notified from my account have seen the same notification I saw - the "Like" app.

In the meantime, it may have harvested some of my personal data. There's nothing of real value in there, because I always suspected that facebook might be a bit insecure. I suppose I might get some more spam to one
or two of my email addresses now. On the other hand, I believe that some people store some kind of payment information in there, for buying silly valentines and things. So, the problem's potentially a bit more serious than just a new vector for some annoying spam.

So, what's the security hole? Is it my fault for giving permission to the app? Or is it to do with the software? Or with the whole concept of social networks generally? You could partially plug it by having the permissions page prominently say who wrote the app - I like to think that I personally would be less likely to give perms to an app that was obviously not written by facebook. But not everyone would get that. Maybe the problem is partially that I expect facebook to be just a bit crap - it didn't surprise me that I had to grant perms to something I already used. Maybe the problem is that the app name "like" was free for a third party to use? But would you like to come up with the list of banned app-names? Maybe apps should have less freedom in the notifications they can send out? "$FREINDSNAME likes your photo" looks the same whether it's FB or some third party sending the notification. And the URL is a hashed and pretty anonymous facebook-redirect rather than an obvious photo URL - so my usual safe-browsing habits don't help at all there. Maybe the mechanism for sending notifications should always involve a dialog box popping up which makes clear what's being sent, and who to? That'd make doing normal things on facebook quite a bit more clunky - people might well just get in the habit of clicking "yes" to every single one, leaving us back where we are now.

I think it's a fun set of questions anyhow. Any of you lot got any interesting thoughts?

ETA: Or perhaps we really just want to remove consequential things like money from facebook, and live with an insecure system that worms occasionally navigate? I mean, people still hang around in forums where rickrolling and other annoyances are rife - it's just less annoying to those users than the alternatives. What do you think? Are you willing to live with the occasional facebook worm if it means you can have a social network that looks like the one we're all familiar with (without any of the more irritating security measures I'm suggesting here) ? How annoying or damaging do the worms have to get before you'd rather avoid facebook altogether?
Tags: facebook, research, security, social networks
Subscribe

  • False Positives and Security.

    Bruce Schneier continues to document the increasingly ridiculous war on the unexpected: Offshore oil rig evacuated after someone dreamed of a…

  • Quick musing...

    We all know and love Lazy Evaluation[1]. Among other things, it allows us to do cool stuff like optimize away benchmarks. It occurred to me today…

  • Programming Languages Mentoring Workshop: a POPL Workshop

    If you're interested in programming languages, and especially if you might want to make a career in programming languages research, you may wish to…

  • Post a new comment

    Error

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.
  • 14 comments

  • False Positives and Security.

    Bruce Schneier continues to document the increasingly ridiculous war on the unexpected: Offshore oil rig evacuated after someone dreamed of a…

  • Quick musing...

    We all know and love Lazy Evaluation[1]. Among other things, it allows us to do cool stuff like optimize away benchmarks. It occurred to me today…

  • Programming Languages Mentoring Workshop: a POPL Workshop

    If you're interested in programming languages, and especially if you might want to make a career in programming languages research, you may wish to…