Networking sites not safe sandboxes

MySpace bills itself as "a place for friends". But it and other social networking sites are becoming a place for enemies too.

A couple of things happened last week that reinforce the point that these sites, while being a terrific way to keep in touch with friends and throw sheep at them, are very much not the safe sandbox that many take them to be.

It has already been pointed out that identity thieves have a pretty wide-open field on MySpace, Facebook and their ilk.

Scammers find it fairly easy to pretend to be someone real, either by creating a profile page or by taking over an existing one.

When they send messages to "friends" on the sites, they are far more apt than with ordinary spam to get victims to click on a link that installs password-stealing keyloggers.

Last week, security firm Sophos warned that bad guys are writing on Facebook users' comment walls, urging them to watch a video that appears to be hosted by Google.

But the displayed link actually asks users to download a program that surreptitiously opens a back door into their computers.

Similar scams have been used to turn PCs into zombies for sending spam.

"People have got to learn that clicking on links in messages to websites can lead to a malware infection, whether the messages are in your email or on a site like Facebook," Graham Cluley, of Sophos, said.

The other reminder came in the form of a presentation by researchers at Black Hat, the Las Vegas convention devoted to tech security.

Shawn Moyer and Nathan Hamiel showed they could include invisible code in a comment on someone's MySpace profile page that would log the recipient out of the site as soon as they viewed it.

More impressive: They sent a similar mini-program in a comment that forced someone to become their friend.

Malicious applications, even those that initially appear innocent, also have an enormous amount of power over users' information, and they can attack other applications or the users' friends.

The hackers' friendly advice: Social networking sites need to reduce the range of activities that applications are allowed to perform.

And they need to block links to external content, or at least do much more to ensure that such content is both of a specific type - such as a photo - and at a trusted place, such as Flickr or Photobucket.

Facebook and MySpace didn't respond to requests for comment. - Joseph Menn

Add a Comment