Facebook: Platform of Evil
People at something called the Institute of Computer Science have put together, as a proof of concept, a malicious Facebook application that can enlist users who add the app into a denial-of-service botnet, and got over 1000 users to sign up. The malicious code was distributed through an innocent-looking “photo of the day” application.
It doesn’t seem to comprise a security threat to those who install the app (besides unwittingly becoming participants in a DoS attack), rather the malicious app is designed to flood a particular server with requests thus rendering it unresponsive or crash it.
[W]e have placed special code in the application’s source code, so that every time a user views the photo, HTTP requests are generated towards a victim host. More precisely, the application embeds four hidden frames with inline images hosted at the victim. Each time the user clicks inside the application, the inline images are fetched from the victim, causing the victim to serve a request of 600 KBytes, but the user is not aware of that fact (the images are never displayed).
Maybe Facebook could afford to be a little more stringent in their standards for third-party apps.
