back to article Facebook app shows botnet risk

Social networking users can easily be tricked into becoming unsuspecting drones in zombie networks, according to new research. Security researchers from the Foundation for Research and Technology in Heraklion, Greece, created a seemingly innocuous Facebook application called Photo of the Day. The (harmless) application posed …

COMMENTS

This topic is closed for new posts.
  1. Aidan Samuel
    Thumb Down

    Yawn

    Big deal. What about the thousands of forums that allow you to post <img .../> tags?

    You're only going to get a few thousand people installing your app, and they are not all going to do it within a few seconds of each other. Your browser is liable to cache most things this 'malicious' app forces your browser to retrieve. And most websites can handle serving a few thousand pictures over the course of a week perhaps. In fact I'd go so far as to say that's what they were designed to do.

  2. Peyton
    Paris Hilton

    How does this tie in with

    the whole 'content hosters not being responsible for user contributions' scenario? Like the Reg is not responsible for the content of this missive even though they provide the interface I use to post it... Is Facebook exempt from damages caused by their little webapp interface, since it's created by a third party? Or will this be yet another grey area of internet law that needs to be vetted?

  3. Mark
    Pirate

    It's not /b/

    Its your personal army.

    -or-

    Who needs zombie PC's when you have zombie users.

  4. dave lawless
    Boffin

    pah, at least be malicious

    http://riosec.com/how-to-create-a-gifar

    http://66.102.9.104/search?q=cache:Y2kd8XolyJkJ:www.hackaday.com/2008/08/04/the-gifar-image-vulnerability/+gifar

  5. Steve

    click fraud is more likely

    I'd have thought that ad click fraud would be one of the easiest and nearly undetectable uses of this technique. No longer require actual people to click and each IP is genuine so very difficult for google to detect it as fraud.

  6. Anonymous Coward
    Happy

    @Aidan Samuel

    "Your browser is liable to cache most things this 'malicious' app forces your browser to retrieve"

    and a web site can tell it not to save anything and load everything from the web site each time the user views it

    <META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE">

    and

    <META HTTP-EQUIV="EXPIRES" CONTENT="Mon, 22 Jul 1999 11:12:01 GMT">

    should do it :P

  7. Anonymous Coward
    Stop

    @AIdan Samuel

    That's only if the url is constant.

    The answer from AC is valid, but sort of ignores the point - since no webserver will intentionally be configured to allow itself to be DoS'd. At least, you'd hope not...

    Anyway - adding some random text after the link will do just as well. So instead of requesting:

    http://www.example.com/image.jpg

    you request

    http://www.example.com/image.jpg?UID=0123456789

    (With that number being "randomly" generated)

    Then it is quite unlikely to be cached.

This topic is closed for new posts.

Other stories you might like