Social Networks Face Security Challenge from Third-Party Applications
Facebook and other social networking sites such as MySpace face the question of how to secure third-party applications developed for use with their sites. A SQL injection vulnerability recently discovered in two Facebook applications underscores this quandary.While changes to Facebook's user license agreement have been in the news of late, another issue continues to nag Facebook and other social networks-the security of applications developed by third parties. The question of what to do with potentially malicious applications created by third parties for use on social networking sites is underscored by the recent findings of security researchers Nir Goldshlager and Rafel Ivgi.
"The SQL injection we discovered is in two different applications in apps.facebook.com," explained Goldshlager, who works for Citadel Technologies in Israel. "One of the servers is running as root. This means we can write files into the machine and with a high chance of executing code on it as root. In any case it is possible to obtain the same information about the users, as the application is able to get and insert new and even malicious information into the database."