Social Networks Face Security Challenge from Third-Party Applications

Facebook and other social networking sites such as MySpace face the question of how to secure third-party applications developed for use with their sites. A SQL injection vulnerability recently discovered in two Facebook applications underscores this quandary.

While changes to Facebook's user license agreement have been in the news of late, another issue continues to nag Facebook and other social networks-the security of applications developed by third parties.

The question of what to do with potentially malicious applications created by third parties for use on social networking sites is underscored by the recent findings of security researchers Nir Goldshlager and Rafel Ivgi. 

"The SQL injection we discovered is in two different applications in apps.facebook.com," explained Goldshlager, who works for Citadel Technologies in Israel. "One of the servers is running as root. This means we can write files into the machine and with a high chance of executing code on it as root. In any case it is possible to obtain the same information about the users, as the application is able to get and insert new and even malicious information into the database."

On the subject of Facebook security, officials said fixing third-party applications is up to the developer.

"Developer applications are hosted on third-party servers," Ryan McGeehan, of Facebook's security team, told eWEEK. "When security-related bugs arise in third-party applications-it's the developer's responsibility to get them fixed, as their code does not live on Facebook systems."

When Facebook receives reports about vulnerabilities in third-party applications, officials notify the developers immediately. In some cases, Facebook also disables or sandboxes applications until the developer has corrected the issue.