Facebook, MySpace Users Susceptible To Cyber Attack

Facebook, MySpace Users Susceptible To Cyber Attack

Social networking sites MySpace and Facebook once again face the very real possibility of being attacked by cybercriminals.

The U.S. Computer Emergency Readiness Team posted a bulletiin Monday warning users of critical vulnerabilities contained in the Aurigma Image Uploader, an ActiveX control that provides the ability to upload photographs, used by the popular social networking sites.

Specifically, the ActiveX control allows users to upload images using the Internet Explorer Web browser. The feature contains multiple stack buffer overflow vulnerabilities in several properties, which include Action, ExtractExif, and ExtractIptc, and testing has thus far shown that versions up to and including 5.0.30 could be susceptible. The vulnerabilities directly affect users running IE on a Windows platform, which automatically comes equipped with the ActiveX control.

If exploited, the errors contained in the Image Uploader could potentially allow a remote attacker to execute malicious code and completely take over a user's machine.

Attackers could lure Facebook or MySpace users running IE on their PCs with a Web page or HTML attachment infected with malicious code. A hacker could then turn the user's computer into a bot or shut down the system completely in a denial of service attack, security experts say.

"All it takes is for an attacker to create a malicious Web page which invokes this control," said Derek Manky, security research engineer at Fortinet. "Then they can do whatever they wish."

Debates have recently swirled around the ActiveX control, which has suffered from flaws in at least three pieces of Web software in recent days. Security researchers say that both social networking sites left themselves susceptible to exploitation by using the image uploader, which was created by a third party developer.

"ActiveX has always been notorious for serving as an exploit launchpad," said Manky.

So far, the publicly available exploit code remains as a proof of concept and is not yet loose in the wild. However, researchers say it will likely be just a matter of time before attackers engage in active exploitation, given the potential to affect MySpace and Facebook's significant user base.

"It's definitely something to keep on alert because the code has been published. Any time it's on Facebook and MySpace, you're going to get a lot of attention," said Manky. "That's what makes this a potentially dangerous attack vector. You have a really broad user base."

Both MySpace and Facebook have been contacted by security researchers and maintained in a joint statement that they are working to resolve the problem.

"MySpace and Facebook are firmly committed to keeping all users as safe and secure as possible. Immediately after identifying a solution Facebook, MySpace and Aurigma collaborated to resolve the issue and are working to individually alert users of any additional steps that need to be taken to ensure user security," a Facebook spokesperson said in a written statement.

The threat itself is not a new one, its severety is underscored by the fact that it can affect numerous MySpace and Facebook users.

While no patches for the vulnerabilities have yet been created, U.S. CERT recommended in its warning that users can work around the problem by disabling the ActiveX controls in Internet Explorer altogether.

"This happens regularly," said Manky. "In the end, it's the users' responsibility to be aware of this and install the updated patch for it."