Microsoft recently warned about Man in the Browser (MitB) malware exploiting Facebook sessions. When a user is infected – often by drive-by downloads on infected or malicious sites – the malware uses authenticated sessions on Facebook to post messages, ‘like’ pages and get up to general mischief.
But this wasn’t the first MitB attack to target social networking services. One person who’s been following this attack vector is Aditya Sood, a security practitioner at IOActive, PhD candidate at Michigan State University and frequent presenter at infosecurity conferences.
Sood explains that social networking sites are attractive targets for attackers. In effect, they represent massive databases of potential victims. Once you compromise one person, via an authenticated session, you can spread to others by exploiting trust relationships.
The trust that both the social networking site itself, and other users, place in the compromised session makes this a powerful launchpad for a variety of attacks. And because everything happens on the client side – with no need to ‘hack’ the social network site itself – then countermeasures are tricky to implement.