[AI] New social networking Web site flaws are rich targets for hackers

renuka warriar erenuka at gmail.com
Sun Aug 5 01:10:01 EDT 2007


The Hindu News Update Service

News Update Service
Sunday, August 5, 2007 : 0330 Hrs

Sci. & Tech.
New social networking Web site flaws are rich targets for hackers

Las Vegas, Aug. 5 (AP): Social networking Web sites such as MySpace.com are increasingly juicy targets for computer hackers, who are demonstrating a pair
of vulnerabilities they claim expose sensitive personal information and could be exploited by online criminals.

The flaws are being demonstrated this week at the Black Hat and Defcon hacker conferences, which draw thousands of people to Las Vegas each year for five
days of training and demonstrations of the latest exploits.

Black Hat, the more genteel of the two events with heavy industry sponsorship and big admission fees, ended Thursday with some 4,000 attendees. Defcon,
larger and more roguish, started smoothly Friday, without any of the registration problems that irked fire officials last year and caused lengthy delays.
Organizers expect the crowd to exceed last year's attendance of roughly 5,000 people.

Infiltrating password-protected social networking sites has been an increasingly fruitful area of study for hobbyists and professional computer security
researchers.

One hacker, Rick Deacon, a 21-year-old network administrator from Beachwood, Ohio, says he has discovered a so-called ``zero-day'' flaw _ or a problem that
has not been patched yet _ in MySpace that allows intruders to commandeer personal Web pages and possibly inject malicious code.

Deacon is scheduled to present his findings Sunday. So far, it only affects older versions of the Firefox Web browser and does not affect Internet Explorer,
he said.

The attack uses a so-called ``cross-site scripting'' vulnerability, a common type of flaw found in Web applications that involves injecting code onto someone
else's Web page.

The vulnerability could not be independently verified, but experts said these types of attacks are a particular problem for social networking sites, where
it's difficult to police the content of the millions of posts each day.

Deacon said the flaw he discovered requires that a user click on a link that leads to a Web page where the computer's ``cookie'' information is stolen.
Deacon said he discovered the problem several months ago along with several other researchers and alerted MySpace, but the company did not fix the problem.

``Facebook and MySpace both patch things that they find, but it's like a sandbox,'' Deacon said. ``There's so much. And there are probably hundreds more
cross-site scripting vulnerabilities there. There's no way they can find them all.''

A MySpace spokeswoman declined to comment specifically about Deacon's presentation. The company said in a statement that ``it's our responsibility to have
the most responsive, solely dedicated 24-7 safety and security team, and we do.''

In a separate demonstration, Robert Graham, chief executive of Atlanta-based Errata Security, showed a program for snooping on the computers on public wireless
networks to steal the ``cookie'' information and hijack e-mail accounts and personal Web pages on social networks.

In his Black Hat presentation, he took over the e-mail account of an audience member using Google Inc.'s Gmail service. Graham said his program demonstrates
the vulnerability of public wireless connections.

``Everyone has gotten into their minds that passwords over WiFi are toxic, so let's fix that, and they have,'' Graham said. ``What I'm saying is that everything
else is just as toxic.''

Graham's demonstration would not have worked if the audience member had been using the encrypted version of Gmail.

Google declined to comment specifically on the presentation but said the company is expanding its capacity to enable automatic encryption for all Gmail
users.




More information about the AccessIndia mailing list