MySpace bills itself as "a place for friends". But it and
other social networking sites are becoming a place for
enemies too.
A couple of things happened last week that reinforce the
point that these sites, while being a terrific way to keep in
touch with friends and throw sheep at them, are very much not
the safe sandbox that many take them to be.
It has already been pointed out that identity thieves have a
pretty wide-open field on MySpace, Facebook and their ilk.
Scammers find it fairly easy to pretend to be someone real,
either by creating a profile page or by taking over an
existing one.
When they send messages to "friends" on the sites, they are
far more apt than with ordinary spam to get victims to click
on a link that installs password-stealing keyloggers.
Last week, security firm Sophos warned that bad guys are
writing on Facebook users' comment walls, urging them to
watch a video that appears to be hosted by Google.
But the displayed link actually asks users to download a
program that surreptitiously opens a back door into their
computers.
Similar scams have been used to turn PCs into zombies for
sending spam.
"People have got to learn that clicking on links in messages
to websites can lead to a malware infection, whether the
messages are in your email or on a site like Facebook,"
Graham Cluley, of Sophos, said.
The other reminder came in the form of a presentation by
researchers at Black Hat, the Las Vegas convention devoted to
tech security.
Shawn Moyer and Nathan Hamiel showed they could include
invisible code in a comment on someone's MySpace profile page
that would log the recipient out of the site as soon as they
viewed it.
More impressive: They sent a similar mini-program in a
comment that forced someone to become their friend.
Malicious applications, even those that initially appear
innocent, also have an enormous amount of power over users'
information, and they can attack other applications or the
users' friends.
The hackers' friendly advice: Social networking sites need to
reduce the range of activities that applications are allowed
to perform.
And they need to block links to external content, or at least
do much more to ensure that such content is both of a
specific type - such as a photo - and at a trusted place,
such as Flickr or Photobucket.
Facebook and MySpace didn't respond to requests for comment.
- Joseph Menn
