Facebook app shows botnet risk
Social networking users can easily be tricked into becoming unsuspecting drones in zombie networks, according to new research. Security researchers from the Foundation for Research and Technology in Heraklion, Greece, created a seemingly innocuous Facebook application called Photo of the Day. The (harmless) application posed as …
Big deal. What about the thousands of forums that allow you to post <img .../> tags?
You're only going to get a few thousand people installing your app, and they are not all going to do it within a few seconds of each other. Your browser is liable to cache most things this 'malicious' app forces your browser to retrieve. And most websites can handle serving a few thousand pictures over the course of a week perhaps. In fact I'd go so far as to say that's what they were designed to do.
the whole 'content hosters not being responsible for user contributions' scenario? Like the Reg is not responsible for the content of this missive even though they provide the interface I use to post it... Is Facebook exempt from damages caused by their little webapp interface, since it's created by a third party? Or will this be yet another grey area of internet law that needs to be vetted?
Its your personal army.
-or-
Who needs zombie PC's when you have zombie users.
http://riosec.com/how-to-create-a-gifar
http://66.102.9.104/search?q=cache:Y2kd8XolyJkJ:www.hackaday.com/2008/08/04/the-gifar-image-vulnerability/+gifar
I'd have thought that ad click fraud would be one of the easiest and nearly undetectable uses of this technique. No longer require actual people to click and each IP is genuine so very difficult for google to detect it as fraud.
"Your browser is liable to cache most things this 'malicious' app forces your browser to retrieve"
and a web site can tell it not to save anything and load everything from the web site each time the user views it
<META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE">
and
<META HTTP-EQUIV="EXPIRES" CONTENT="Mon, 22 Jul 1999 11:12:01 GMT">
should do it :P
That's only if the url is constant.
The answer from AC is valid, but sort of ignores the point - since no webserver will intentionally be configured to allow itself to be DoS'd. At least, you'd hope not...
Anyway - adding some random text after the link will do just as well. So instead of requesting:
http://www.example.com/image.jpg
you request
http://www.example.com/image.jpg?UID=0123456789
(With that number being "randomly" generated)
Then it is quite unlikely to be cached.
Sign up, sign up for The Register's weekly IT security newsletter - click here
