Several researchers have built an application on Facebook called “Photo of the Day” to exploit security vulnerabilities. The application, which seemed harmless showed a large picture from National Geographic everyday, but every time the application was clicked, a 600 kilobyte HTTP requested an image from a victim’s website.
The application user does not realize that every time they clicked the application, they are contributing to a denial-of-service attack on a website. The application was added about 9 months ago and about 1,000 Facebook users installed it. The researchers monitored how much incoming traffic was sent to the fictitious victim website. If a few million users added the application, it would send about 248 gigabytes of unwanted traffic to a victim’s website.
“We used our FaceBot to carry out a complete evaluation of our proof-of-concept attack via real-world experiments,” stated the researchers in their paper. “Extrapolating from these measurements along with popularity metrics of current Facebook applications, we show that owners of popular Facebook applications have a highly distributed platform with significant attack firepower under their control.”
Applications also have the ability to access the personal details of users on Facebook and store them on remote servers. One way to prevent this from happening is to have applications lack the ability to interact with host websites that are not part of the social network. Every new application should be scrutinized intensely by Facebook too.
The study was conducted by the Institute for Infocomm Research in Singapore along with Research and Technology in Heraklion, Greece. The application is still live so far.