Social Networks Face Security Challenge from Third-Party Applications (
Page 1 of 2 )
While changes to Facebook's user
license agreement have been in the news of late, another issue continues to nag Facebook and other social
networks—the security of applications developed by third parties.
The question of what to do with potentially
malicious applications created by third parties for use on social
networking sites is underscored by the recent findings of
security researchers Nir Goldshlager and Rafel Ivgi.
"The SQL injection we discovered is in two different applications in
apps.facebook.com," explained Goldshlager, who works for Citadel
Technologies in Israel.
"One of the servers is running as root. This means we can write files into
the machine and with a high chance of executing code on it as root. In any case
it is possible to obtain the same information about the users, as the
application is able to get and insert new and even malicious information into
the database."
On the subject of Facebook
security, officials said fixing third-party applications is up to the
developer.
"Developer applications are hosted on third-party servers,"
Ryan McGeehan, of Facebook's security team, told eWEEK. "When security-related bugs arise in
third-party applications—it's the developer's responsibility to get them fixed,
as their code does not live on Facebook systems."
When Facebook receives reports about vulnerabilities in third-party
applications, officials notify the developers immediately. In some cases,
Facebook also disables or sandboxes applications until the developer has
corrected the issue.
