Facebook applications pose Trojan risk says researcher
by Steve Ragan - Sep 21 2009, 17:45Unu, the researcher known for his vulnerability disclosures during the summer that targeted anti-Virus vendors as well as news organizations, has posted an advisory that centers on Facebook applications. Moreover, his work was apparently censored by Facebook after its release.
Starting with the disclosure, Unu has found vulnerabilities in several applications developed by NewsCloud. Considering that Facebook is now at over 300 million users, Unu’s claim that the flaws he discovered could lead to Malware distribution may come off as alarmist. However, it’s already happened. In the past, malicious Facebook applications, as well as malicious links and posts to a person’s Wall, have led to the Koobface family of Malware.
Unu discovered vulnerabilities in the Hot Dish, MnDaily, In:Site, and The Needle Facebook applications, each developed by Jeff Reifman’s company NewsCloud. According to Unu’s post, the applications are vulnerable to SQL Injection, as well as allowing load_file.
The flaws, said Unu, mean that “…with a little patience, a writable directory can be found and injection a malicious code we get command line access with which we can do virtually anything we want with the website: upload PHP-shells, redirects, and infect pages with Trojan droppers.”
While the vulnerable applications were all developed by a single source, Unu said that he wasn’t targeting NewsCloud, just Facebook applications in general. At the same time, as one of Unu’s example images showed, passwords were being stored in clear text, so he did take issue with NewsCloud for that little problem.
It would appear that someone at Facebook, or maybe NewsCloud, took offence to Unu’s posting.
Earlier this morning, Unu checked his blog post on the Facebook application flaws, and noticed that all of his images were missing. His assumption is that Imageshack, where the example images were hosted, was ordered to kill his account.
Related to the loss of images, his WordPress blog was shutdown as well for TOS violations. While there is no confirmation that Facebook or NewsCloud ordered the removal of the images, Unu shamed them nevertheless in his follow-up posting.
The five vulnerable applications are only the first in a series Unu said. He will continue to post more vulnerable applications as he discovers them. Interestingly enough, Unu’s side project will run alongside the Month of Facebook Bugs project.
The difference is that the Month of Facebook Bugs will only detail vulnerable Facebook applications that have been patched, Unu will likely do no such thing.
Comment on this Story