Social Zombies Gone Wild: Totally Exposed and Uncensored

Kevin Johnson and Tom Eston gave the third and final “Social Zombies” talk at Notacon 8 this weekend.  This talk focused on how social networks are using geolocation and the abuse of location based services.

“Social networks have jumped onto the geolocation bandwagon with location-based tweets, status updates, check-ins, mayorships, and more. This doesn’t take into account EXIF, QR codes, and advancements in HTML 5 geo implementations, which are being built into these location-based services. This is often implemented and enabled without the user even knowing it. In fact, geolocation is one of the hottest technologies being used in everything from web browsers to mobile devices. As social networks throw our location coordinates around like candy, its only natural that bad things will happen and abuse will become more popular. This presentation will cover how social networks and other websites are currently using location-based services, what they plan on doing with it, and a discussion on the current privacy and security issues. We will also discuss the latest geolocation hacking techniques and will release custom code that can abuse all of the features being discussed.”

Slides are on SlideShare below:

Defeating MSPLinks on MySpace

myspace_msplinksThe following post is a contribution from a researcher called “anti-social”:

A few years back MySpace implemented MSPLinks as a way to defeat spammers from posting their spam URL’s. The idea being that spammers couldn’t make money if they constantly had to buy new domains. The idea worked to a pretty good extent once MySpace finally figured out how to filter all the XSS vulnerabilites they had when sanitizing profiles.

About a year ago, MySpace added to MSPLinks a phishing warning screen to inform users that the site they were going to could possibly be malicious. This screen can be easily defeated by a simple post method with a hidden field. That’s because MSPLinks.com trusts post requests from MySpace.com.

A working example can be found at: http://www.myspace.com/socnetsec

If you click the 1st button under the “About Me” section, the phishing screen isn’t shown (IE and Safari takes you straight through to the link, Firefox pops up a warning asking if you want to post your data to MSPLinks)

If you click the 2nd button, you’ll notice that you’ll be taken to MySpace’s phishing window.

Here is the simple html code in the profile:

<form action="http://www.msplinks.com/MDFodHRwOi8vd3d3LnNvY2lhbG1lZGlhc2VjdXJpdHkuY29t" method="POST">
<input type="submit" name="coolbutton" value="SETTING DISCHECK" />
<input type="hidden" name="discheck" value="on" />
</form>
<form action="http://www.msplinks.com/MDFodHRwOi8vd3d3LnNvY2lhbG1lZGlhc2VjdXJpdHkuY29t" method="GET">
<input type="submit" name="coolbutton" value="NO DISCHECK" />
</form>

What’s the point?  Even with SPAM and URL filtering on social networks like MySpace…they can be easily bypassed.  Since 2007 there have been many different ways to bypass MSPLinks (just do a Google search), this is just another method.  Also, because social networks encourage user generated content, clicking on any links that are posted by the user can lead to bad things.  Especially if they are already masked like they are via MSPLinks.  MSPLinks have now become even more dangerous because you trust MySpace is filtering these links.

Hopefully, MySpace can come up with something better then MSPLinks as they are pretty much useless to fight SPAM and links to malware sites.

New Research Released on Koobface

Today Trend Micro released probably the most comprehensive research yet on the Koobface social network worm.  This research details how Koobface works, the malicious payloads it carries and how this worm has spread to all the major social networks.  The most recent victim being Twitter.   Most alarming is that Koobface will still continue to evolve and is the beginning of a new generation of malware targeting social networks.

Check out the article and download the PDF for the full report.  We will also have this link posted in the “Research” section of the site.

Security and Privacy in Social Networks Bibliography

We just added a fantastic link to 70+ academic papers about security and privacy issues in social networks. It is maintained by Joseph Bonneau from the University of Cambridge.  You will see a page titled “Research” at the top of the page where you can get links to this and other academic papers and research papers.

Thanks to Joe for the submission!