Facebook botnet risk revealed

Researchers created a demo "Photo of the Day" app that turned Facebook users' machines into a botnet. Social networks, they warn, are ideal for attack platforms.

Elinor Mills Former Staff Writer

Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.

See full bio

Elinor Mills

Sept. 8, 2008 12:18 p.m. PT

2 min read

Updated Sept. 8 with National Geographic saying the app is not sanctioned by them.

Researchers have created a proof-of-concept application for Facebook that turned the machines of people who added the app to their Facebook page into elements of a botnet that in a demonstration launched denial-of-service attacks on a victim server.

"Social Network Web sites have the ideal properties to become attack platforms," according to a paper entitled "Antisocial Networks:Turning a Social Network into a Botnet," that was authored by five researchers from the Institute of Computer Science in Greece and one from the Institute for Infocomm Research in Singapore.

The demo application, called "Photo of the Day," displays a new photo from National Geographic every day. However, every time someone views the photo, the host computer is forced "to serve a request of 600 Kbytes," according to the paper.

A National Geographic spokeswoman said the app is not sanctioned by her company.

Such a botnet could be used for other types of attacks, such as spreading malware, scanning computers for open ports, and overriding authentication mechanisms that are based on cookies, the paper warned.

The researchers suggested that Facebook and other social networks be careful in designing their platform and application programming interfaces (APIs) so that there are few interactions between the "social utilities they operate and the rest of the Internet."

"More precisely, social network providers should be careful with the use of client side technologies, like JavaScript, etc," the paper says. "A social network operator should provide developers with a strict API, which is capable of giving access to resources only related to the system. Also, every application should run in an isolated environment imposing constraints to prevent the application from interacting with other Internet hosts, which are not participants of the social network. Finally, operators of social networks should invest resources in verifying the applications they host."

In addition, the apps pose privacy risks as well because of the access they have to the data of the people who add the apps to their pages, the paper says.

Similar privacy and security concerns have been raised by others after previous third-party apps have been found to have security holes in Facebook.

Facebook representatives did not return e-mails seeking comment.

(Via ZDNet's Zero Day blog and the Dark Reading blog.)