 Is everybody ready for us to begin? There's not a whole lot of audience participation, but a little bit. There is always audience participation at DEF CON. You guys ready for this? Yeah, so this is, Satan is on my friends list, attacking social networks. I am Nathan Hamill, senior consultant in ID information security, associate professor at UAT. And as a matter of fact, I might have some students here, so I'm on my best behavior. And I have Facebook, LinkedIn, MySpace, and Twitter. If you see accounts for us on any other network, assume they're not us. Thank you. I'm Sean Moyer. I hack for dollars for a company called Fishnet Security at the moment. Multi-purpose windbag, frequent black hat speaker. LinkedIn, Twitter kind is sort of kind of Facebook. Please pay us to come break your web apps. Thank you. And so not only are we in your extended network, but Satan is also in your extended network. And actually Satan is actually rather elitist and doesn't like people adding him to his friends list. We tried to add like many Satan's and no one would have the time of day with us except apparently this Satan who is 69 years old from Connecticut. We weren't quite sufficiently evil. It took a little while and we sent him a couple of requests and finally he gave in. So we made Satan give in. Brief disclaimer, no animals, bloggers, journalists, or cameras were harmed during these demonstrations. While actual social net sites and users were involved, all payloads were benign and only resulted in wounded pride and possibly high blood pressure. We are not experts and should not be trusted in any way. Always ask your doctor before changing prescriptions or viewing live journal session captures. MySpace contains the most feature-complete open social implementation. Many of the issues discussed here are on their platform. The rest of you guys suck too. Seriously, we mean it. We just don't want people to get the idea that we're only picking on MySpace because that's really not the case. It is kind of like beating up on a retarded kid. It's a lot of fun, but it's a little too easy. So what is our presentation about? This is our little roadmap type thing and it's out of order. So don't look at the order. It's totally in order. What the hell are you talking about? Our obsession with social networks is basically a series of kind of impromptu threat models and kind of pro bono penetration testing we did over drinks, box wine, hard liquor, whatever you get a hold of. Also seeing how many accounts we could get deleted very quickly. Usually actually very slowly. If you care about your MySpace Facebook account, don't do any of the things that you see us do here because you won't have it very long. Okay, so this is like a really hard thing. We argued about this for like three or four months. Are these disclosure worthy? Are they not disclosure worthy? Well, I mean they can get you massively owned, but they're documented in the APIs. Yeah, if you document your vulnerabilities, then you probably know about them. Yeah, you should already know. So yeah, we argued about different words for that. So we're like, you know, vulnerability and feature, like Brandon O'Connor said, call it a vulture. So we said, yeah, feature abilities. These are all, you know, a lot of these things are things they put there on purpose. Yeah, so social networks is a tag platform. You know, obviously millions of users, you know, something like seven or eight million on like Facebook and a couple of the other ones. The Alexa top 20 websites for like the highest traffic websites out there, like something like five of those are social networks. So you know, so there's a lot of users, a lot of targets. You know, the business model is really about, guess what, not actually, you know, helping you find, you know, your old high school girlfriend. But allowing users to create all this content and all these groups and all these things so that they can sell marketing and direct things towards you. So you're volunteering to create your own focus group of your friends, right? If you think about it, social networks are created by content that's really not theirs. They're counting on their user community to create this content and put it on there. So most of their content isn't created by them or kind of controlled by them and you'll see that coming up. Yeah, and so sort of, you know, vuln mashups, you know, there's a lot of social components to a lot of these things. There's also a lot of technical components. One of the big things about social networks is they're really kind of built on trust. It's very much this environment of everybody joining hands and singing kumbaya. So, you know, that makes it, you know, pretty interesting to look at. Yeah, and then, you know, various kind of really kind of retarded demos and silliness. And this is, this makes no sense until you see the slides. Yeah, things that we wish we could unsee. We're also going to talk about some particular things with the apps for the part of these social networks. So attacking with clients, attacking apps with apps and using a social net as a lightweight botnet. Also known as malware as a service. And of course, some cross-site request forgeries and actually some things that really aren't cross-site request forgeries. They're actually same-site request forgeries, which actually makes them really just request forgeries. Yeah, because we know, yeah, so they're IRF, you know, as opposed to CSERF. So, you know, we already know you're logged into the site. We're using the site to get you to do other things. So, yeah. This is pretty much the moral of the story. External content equals bad, and we will discuss that here very shortly. This is Chris Bissell from the MySpace team, and we just want him to know that we don't want him to hate us too bad. His videos were very informative and helped out a lot when constructing a lot of these attacks. Thanks, Chris. So, we appreciate it. Okay, now down to the external content equals Foxer. Wow, that's dark. I think it's awesome. So, if you link to things off-site, you're actually setting yourself up for failure. And a few of the things we went through is using an image tag to perform cross-site request forgeries. You know, you can do click fraud, social net as botnet, you know, and it's not just MySpace, even though those are our demos, there's a lot of other sites that are vulnerable to this too. You know, MySpace, High Five, LiveJournal, many of these sites allow you to link to content off-site, even if it's just an image. Yeah, well, pretty much anybody that gives you the ability to do something off-site, you know, on their site, we can fuck around with your request, mangle it, and then send it back, and essentially they have no control over what's going on. Oh, and, yeah, just so you, in case you didn't know, according to the Associated Press, we invented cross-site request forgery. You're welcome. That just came out yesterday. Yeah, we thought that was great. They've discovered a novel way to insert an image tag, you know. Yeah, this is all really old, really obvious stuff, which is why it's so appalling that it still works. And, of course, this is our same-site request forgery, things like this. Converting requests, if you take a particular post request and convert it to a get, sometimes you find that certain things aren't enforced the same way. So you have filters, view state MAC, sometimes it works for a post and doesn't work for a get, which can be very bad. Yeah, and the reason that that's kind of interesting is a lot of kind of AJAX-y kind of funcified stuff does a lot of post stuff, and it's a lot easier to forge gets. So, you know, what we found is there's a lot of stuff there where that actually works. Yeah, and you don't need an XML HTTP request to do sort of request forgeries. So now I want you to meet a few friends. This is Alice, Bob, and Eva, and we have a little demo to show you. Now, Eva has Bob as a friend, but she wants to get some more friends. So what she does is she looks at... She looks at... She looks at Bob, who has two friends, which is her and Alice. If we could get that fixed, that would be great. So she wants Alice as a friend. So she goes to Bob's profile and does this typical MySpace social networking type thing, and she wants to leave a comment. So she clicks on... Sorry, I was so painfully slow in recording this. So in this comment, she basically says thanks for the ad and inserts an image tag. That image tag links to off-site content, which is one by one pixel. They have some really elite 1980s antivirus filtering technology that checks for the .jpg extension, so we were very impressed with that. And the ultra-secure CAPTCHA, which is protecting you from all. CAPTCHA makes you safe. And now the comment is posted. Of course, you can't see the image, which is actually failing. So you don't get the nice little red X. So when Alice visits Bob's profile, eventually... This was done very slowly because it's on a Mac. Sorry. It's all that really cool core image like... So as you can see on here, the watch you'll see for yourself. She has a new friend request. Ta-da! The Aristocrats. Basically Alice made a friend request to Eva, but really didn't. So now she has Alice and Bob as a friend. I know. It doesn't look earth-shattering, does it? More friends? That sucked. So you laugh at that. This really gets bad when you start talking about things like innocuous functions. So there are certain things that are painfully obvious to developers or anybody protecting applications. You know, account management, you know, reading messages, deleting messages. These things are all considered privileged functions, things that should be protected. What people don't really think about are things that don't appear valuable, like logging out or blocking communication or friend ads, apparently, and lots of other things. Yeah, and I think one of the points of that is basically all of the C-SERF stuff, there's really only one defense that can C-SERF right now and that's just C-SERF tokens. And C-SERF tokens are not something like a session ID where it's 128, 256 bits, something like that. A lot of these are like 8, 10 bits. In one case, one of the sites actually uses the session ID as a C-SERF token, but then they also include that in URL. So you get a refer and then you have the C-SERF token. Yeah, that's what you refer. Yeah, and so, you know, pretty much once you're past C-SERF token, it's kind of game over for everybody. So let's look at attacking an innocuous function on MySpace. So we go back to the typical Eva Alice Bob scenario, but Eva's pretty moody and she doesn't like Bob anymore and she really wants to get back at him. So she goes to Bob's profile and wants to leave another comment. Same type of thing linking to an offsite image, which is actually some Python code by the way. I just thought I'd pimp Python a little bit. And she's going to leave them, you're a douche, and post that comment. And of course, once again, ultra secure CAPTCHA. You are safe because of CAPTCHA. Was I fat fingering that? What is that? I don't know. We were drinking. So now that comment is now posted on Bob's profile. So when Bob goes to his profile, he is notified immediately that he has new comments. So he goes to view the comment and sees the comment. He says, you're a douche. So being mad, he wants to send Eva a message. You're a whore. And is logged out. And what this will do is log Bob out every time that he views that or tries to change it and also log everybody out that views Bob's profile. I totally missed that image. That was outstanding. Oh, yeah, look at that. Live the dream. Start singing now. I love MySpace ads, as you'll see. So you don't just have to use an image tag to do this. If there are certain other methods that allow you to go and get this offsite get, like you could use an image tag, you could use meta refresh or iframe source. Now some of these are painfully obvious and social networks do protect against them. I think all of these are pretty painfully obvious, but most of them still work, which is kind of frightening. One of the other things with that is if you look at, there's been a lot of malware propagation that's been using things like CSS and Blogger and a lot of other sites that let you do your own CSS. So like MySpace will let you link to, you know, but loads of images and, you know, all this external content because you want to have the dancing butterflies and all that on your page because it makes you cool. Actually something really awesome that somebody told me last night is that Jason Scott is personally responsible for goat-seeing 235,000 people yesterday. So apparently the story goes that, and I'm sure he'll tell you a much longer version of it, apparently the story goes that somebody created a MySpace skin, you know, or whatever and they linked to some content on TextFiles.com for it and he mailed them and it's like, please stop, and they're like, ha ha ha, it's the internet, you can't make us, or whatever. So he just wrote a 302 that bounced them to goat-seeing. So 235,000 people on MySpace just, you know, went to their homepage. And what's really cool about that though, which is what I said, I'm like, I wish we would have talked to you first because you can do far worse than that. You know, we could have logged all of them out permanently every time they logged into their page, all of the CSS that included that image would have logged them out in anyone else that viewed their profile. You know, obviously you could also have turned them essentially into your own, you know, kind of personal botnet, bounced all of those requests to, you know, different hosts that you want to target, and you have 235 different, or 235,000 different unique IPs that are at your disposal, you know. So I mean that's, yeah, basically external content equals fail, you know. Apparently microphone equals fail too as well. And it's not just logging people out. Something that would be a lot harder to detect doing the same thing would be to block communication. So you could actually block people's communication as they visit your profile and they'll never be able to send you a message and you'll never know what's going on. So that kind of makes it a little interesting as well. So let's talk about some logic attacks on social nets. Now logic attacks aren't really that straightforward. So it's not like you can find a vone scanner that's like testing for, you know, particular logic attacks. It's extremely difficult to identify and you're going to love our, so let's talk about adult friend finder. Everybody's favorite social network. And I see some people are looking very scared right now and that is very funny. Yeah, so we kind of, we argued about this for a while and it's actually kind of hard to define now is, you know, we're talking about looking at social networks and so, you know, what's a social network and what's not. I mean like blogger has like kind of friends list, your friends, your blog is friends with my blog, blah, blah, blah. LiveJournal has some components like that. And so we kind of arrived at, you know, in arguing about that, that we decided that adult friend finder was actually a social network. The only difference is that when you friend somebody, you fuck them. You know, it's pretty much... It's kind of like MySpace. We're just giving you a hard time. So this is a logic flaw in adult friend finder that allows you to do a certain sort of privilege escalation to view pay for content. Now, here is a standard profile and this member is online now. As another standard member, you should not be able to view standard member content. Now I realize it looks like I know way too much about this, but I swear it was for research only and I do not have a bunch of profiles out there in various stages of address. His current mood is naughty. That's my favorite part. Well, that's not mine. That's somebody else's, but they were in the same geographical area. So you might as well troll a little bit while you're doing research. And we were actually saving you from having to see this. There's... You can come up afterwards and we'll give you the actual screenshots. We have a bunch of them if you really want to... We can also help you find your profile if you'd like. This basically shows a sort of escalation in privilege because you're only supposed to view one webcam at a time as a standard member. And I realize it looks like I still know way too much about this, but obviously there's four going at the same time and I could not wait to get the screenshot and then turn this off. So Nathan mailed me about this one and he's like, I just popped an old friend via dirt. And I didn't hear back of him for a couple of days. I was setting up some new profiles, man, in Las Vegas. Oh, okay. So this is mine, which is out fucking standing because we have one microphone. Thank you so much, AB guys. So one of the big things about all of this is that we really think about social networking attacks as being just by definition kind of social engineering. It's all kind of about blended threats. And so it's all kind of always tied together. It's hard to talk about one or the other. And that's kind of why it was so fun. A lot of the things that we did either looked at the technical components or they looked at the social. I think it's kind of obvious that when you combine the two together, it's pretty ugly, pretty fast. Interesting quote off of... Thank you. Interesting quote off of actually Dan Kaminski's Twitter from like three, four months ago. He said something about why do people think I have to weaponize the obvious? I don't know what that means. So yeah, it's just the combination of these two together. So with that, one of the things that we think about, obviously everybody always talks about like, oh, we can find you on Facebook and tie that to your MySpace and then your old friend finder and whatever else you have. We kind of think that all the crap that people say about your identity can be installed on a social network is kind of retarded. If you share your information on a social net, assume it is public. I kind of say to that like a footnote, you see Paris Hilton repeated ponage, right? I mean, it's pretty obvious. Not only that, but jeez, you're putting it on the internet and of course nobody can ever... That's really safe, right? Okay. I have no comment. So yeah, actually something that was kind of terrifying to us is that Facebook takes credit cards now, which we thought was kind of strange, but apparently they're starting to create some kind of like stores and sell things. So yeah, if you give your credit card number to Facebook, I feel like it's ridiculous. When you talk to your coworkers and you say, hey, you know, we're working on this talk for Black Hat and Def Con and we're doing it on social networks, do you have a MySpace account? Why, yes I do. You should probably remove pictures like this and what's really funny about this picture is the caption which you can't read and it says, does this dress make me look fat? Yeah. So I think that this is Halloween and not Friday night. Although actually like we were talking to somebody about this earlier and they're like, there's a couple other things like this where we like from like somebody's LinkedIn profile like identified like something bondage related or whatever and it's like somebody said to us like, do you think people at Def Con really care about you know, cross-dressing and bondage? So you know, it's maybe not that revolutionary. It's just funny. Yeah, it's pretty funny actually. So yeah, so one of the things that I was doing was kind of some social engineering exercises on social networks. It was just something that occurred to me and other people have talked about it in the past and I just wanted to kind of see how effective it was. So my deal is that on business social networking sites especially there's a lot of return on investment for something that's a targeted attack. It's very little effort to do. There's no real validation of any kind that you work for company X or Y or whatever. So if you were going to target like an IBM or the DoD or the NSA or whatever, you set yourself up a profile that says you're like an intern there or whatever and you friend all these people and see how many connections you can get. Well guess what, from that you have email addresses you have the ability to send the messages and all these other things and guess what, they're typically accessing these sites from their desktop inside the company. So it's like something like 5K to write a piece of custom malware to hit company X or Y and I actually talked to somebody just a little while ago about an incident that was a very focused ear phishing attack that was specifically like four C level people in a company. So this is a great way to kind of get inside somewhere. So yeah, is it typically just about building some kind of plausible profile public sources, getting a respectable number of connections to where it looks like a valid profile. And then what like I said in our case we really just wanted to demonstrate how trivial it was to build those connections. I think it's pretty obvious what you would then step would be for that. So what we did was we sent this email out to a whole bunch of high profile security people who didn't have any footprint on social networks and most of them said hell no. We asked actually I'll tell this story here, this is kind of cool was we actually asked Bruce Schneier, Phil Zimmerman and Marcus and a couple other people I won't name because they're coming soon. And actually there was kind of a douche about it. But Phil was you in that word douche lately. I really wanted the chance to call Schneier a douche at Defconn. So he actually told us not only was it a bad idea for him personally but that it wouldn't work. So it was our entire thesis was wrong. But Phil was really kind of funny because he said people really think my whole kind of how people hire me to continue to do things you know it's like I kind of make you know I'm an independent consultant and things and he's like you know they really kind of think Phil Zimmerman is a nice guy. And I'm pretty sure people are going to really think I'm an asshole now. I'm like I think really they'll just think I'm an asshole but you know we can respect that. Marcus had no problem with that. So you know his deal was all these people keep sending me all these things on social networks and you know I keep telling him how retarded this is and what a bad idea it is and nobody will listen. So you know go for it, fire it will. And he's like do you want to know my bio? Do you want my resume? No no no let us figure it out you know we'll see what we can do. So over the course of a couple hours what we did was basically every time a company hires Marcus random they put out a press release. So we built his resume right you know it's like he started this state you know random joins Tenable, random joins NFR you know. Took us a couple of hours put that together found a you know press release photo from a conference and took his bio off of his own website but then you know kind of the next step was how do we kind of create enough connections to make it look kind of legitimate. By the way there are five Kevin Mitnick's on LinkedIn just related to that and what's really kind of bizarre is that most of my connections are like connections with one of them but it's not really clear which one. So if anybody knows which one is actually Kevin you know. Maybe he just forgot his password. He might have forgotten his password we don't know. Yeah and actually for what it's worth I have I've heard from a number of people that like when that happens it's really hard to get your profile off later you know they're not very responsive to getting some help. So anyway so we needed to get like kind of quick legitimacy and so you know on my space these kind of people get called kind of friend whores on LinkedIn I kind of call them link whores so these are basically people who on LinkedIn think it's really cool to have lots of connections for no reason I can really discern and this particular search is 835 people identified on LinkedIn who are people who it will accept friend requests from anyone who are also CISPs and also work in the security industry. There's another one that I don't show here that's like there's 500 of those that also work in the defense industry which I thought was pretty damn cool so we kind of what we did is we just went through a list like that and we sent them all friend requests as Marcus and these are CISPs right so they should know and what happened. That was actually a joke it was a joke so what happened was we ended up with about 40 or 50 connections as Marcus over the course of I think like 4 or 5 hours from that what we then started doing is joining all the LinkedIn networking group so we made Marcus a member of the security thought leaders you know group and the black hat group and I actually have to give DT kind of props on this. We joined the DEF CON group too I think but for the black hat group there's another group for black hat speakers and he mailed me and he's like should I let you join that and I guess apparently they do normally validate somehow to make you a member of that but yeah he joined the CSO group and the ISA group and the ISACA group and all these other things and then from that we started kind of targeting people a little bit to just like I said just to make a connection with them so the end result was we got about 50 odd connections like say in about 24 hours and so of a Fortune actually a Fortune 10 company I'm gonna not say which one a number of people from the defense industry a bunch of old co-workers and things of Marcus's who would mail us and say like hey man I'm so glad you're on here like give me a call here's my phone number, here's my new email address I've got something I want to talk to you about ISSA people there was one guy which I thought was really cool he like accepted our request and he's like thanks Marcus love your product I've got a time for security testing I'm an independent consultant and Marcus you know us as Marcus replied back like thanks a lot make sure you register the official version you know just changed the licensing so my personal favorite though is the one down below he got this friend request and it says I don't know if you can see it it says whoa you're on here now can I be in your network and it says they're former classmates at college and so I said well man I'm like an old girlfriend or something so I mailed it to Marcus and he said no that's my sister and by the way if you're we're on his connection list his email address was marcus.ranum at gmail.com and anybody who knows of Marcus he's had the same email address for like 20 years which is like mjr at random.com and that's the only email address he even has on his page and I'm presumably told his sister at some point but you see anything other than that that's not me so yeah so after that we went through another exercise we actually didn't have permission for this but I have a good explanation that I'm not going to go into so what we did was there's a lot of security people now that are starting to get on twitter I wonder who those are and there's a lot of the security blogosphere the thought leaders and all these people that are all on there and so what I did was the same kind of deal and it was actually far more trivial I just found a picture of Gotti linked to his blog and then what I did was I started following a fun stack like his listserv and every time a new post came on there I just tweeted it and said hey check this out this is really cool and then actually started to kind of develop the Gotti voice there's one here that's a real player stack overflow from ZDI anyone knows this is different than heap bug in like a URL to it I'm kind of talking about that and what happened was people were talking a lot about the DNS phone and there was a journalist who said is anybody seeing this exploited in the wild and so Gotti replied and said it's not something I can talk to yet but yes it's there and said it's out there and it's going on so this guy started sending us messages like can you talk about this can you do an interview and you know catch us you know talk to me is on twitter I'm always on here so just send me messages and and so actually I have to give props HD more out of this he was actually on Gotti's friends list on here as well but Gotti posted and he's like look someone's impersonating me again you know and posted on his listserv and then on his blog and then for a while there I kept going I'm like no no I'm actually Gotti and so on but this guy was about we had about an hour where we were just about to you know become an anonymous source in a large you know security rag you know and I don't know if it would have ever made it but our theory was what we were going to do we thought it sounded much more illegal like if we actually said we were Gotti in the interview so we said we'll go off the record and we were going to insert this meme that like all the DNS cash points being attacked are sourced out of Latvia it's all Latvia you know and so we're like you know when you see that everywhere like we did that you know but we yeah we eventually outed ourselves and the end result of that is that the actual Gotti is now on Twitter and for that we're terribly sorry okay let's talk about some MySpace apps so MySpace apps anybody familiar it's open social and it combines these convenient APIs 100% arbitrary code right once anywhere yeah that was kind of the intent open social is was it created as essentially competitive for Facebook apps because Facebook was kind of getting ahead of everybody with it and it's a it's a loose like conglomerate of all the major social networking sites that have kind of come up with a standard that interoperates and so yeah essentially you could create one open social app and it should in theory anyway run everywhere MySpace and we want to point this out like I said they were just the first to really do other than like Plaxo which nobody cares about they were the first to kind of go live with this yeah and and that's one of the reasons we chose this is because there's been people looking at the Facebook type apps and there's been people who have written kind of like bad Facebook apps other than just the developers who write bad Facebook apps to begin with but open social is kind of a neat thing because there are a lot of different social nets that are implementing it so if you have a particular piece of malicious code you can go ahead and propagate that through every social net that it was long as you have developer access of course which we'll get into that in a few minutes apparently on Facebook you can just add the developer app and the only thing you need to do to publish your application to the world is have five friends don't really know what that's all about we made five friends yeah and they all friended each other and okay you know for MySpace you had to go through the development process so you had to submit this form and basically it asked your name and your email address and the company you work for and then I said why do you want to become a MySpace developer so I don't remember the exact wording that I put on the thing but I said you know if they would have looked at my blog they would have said hey we're speaking in black at and we're speaking in Defconn and social networking vulnerability you know all this kind of stuff so obviously they didn't go there what was your developer app that you proposed well I said I was working on an application for sending messages based on the unbreakable ROT13 encryption scheme so and somebody yes somebody at MySpace HQ went click approve click approve click approve and some interesting things about this too with with many social networking apps is it's centrally managed basically your code is in the center and everybody you know automatically gets the most up-to-date version of your code so if you were going to launch some huge attack what you do is attach to some meme get a lot of people installing your app and then at one point you flip a switch and now you have the malicious code going out to all these people so even if it was detected at some point there's a lot of damage you can do in a very short amount of time with these applications and you can kind of make your own personal little botnet so the social networks how they kind of handle this is they're counting on the domain security the browser so there's a lot of you know same origin type things so when you when you run MySpace apps for instance it comes from api.msappspace.com so they typically they put the disclaimer on there and they make it sound like you know we didn't write these apps which is perfectly reasonable and they said we're not really kind of publishing these apps but they are if you read the EULA you know you're absolving them of kind of any accountability for anything that happens and like kind of our point is the really the only thing that they're really getting out of running these in a separate domain unless you know unless you can hop over same origin you can't hit them because that's really the intent they really need to continue to sell ads and deliver service but there's nothing obviously in the process or the ability to push out an app or anything else that keeps their users protected you're just they're protecting themselves from their own apps essentially they're not protecting their users from their own information which is kind of funny on a social net and they're not protecting their user environment from malicious apps they're not protecting apps from other apps as we'll see so what about same origin we kind of already went over all that but when you have access to the API there's like some nice documentation around that it says the browser security model won't allow you to request data from another domain so here's these helper functions that allow you to do just that so you can construct any get in any post to any site now the one thing I will say about that with regard to cross-site request forgery and stuff like that is it doesn't execute from the client machine it's actually a server on the MySpace network that will go out and get that and that's coming up so it depends on your goal I mean sometimes you just don't care about same origin if your goal is to you know put some malware on a client then you really don't care where it comes from why do I need elite zero-date XSS when I can just pop the client itself and get your MySpace password that way or whatever it is right I mean we have a if we have an arbitrary iframe that we can execute any code from we've got lots of other ways to get your credentials you know it doesn't seem to make a lot of sense to really care if we can hop across but like I said what it does do a great job of is protecting them you know from from any of these things and kind of sitting down and thinking about this it's there's a lot of very smart people looking at trying to get JavaScript to execute in the context of these social networks so when you sit down and think that I hate this microphone when you sit down and think about it why spend you know hours days months trying to get JavaScript to execute when you can just ask for permission and they let you execute anything you want to so this doesn't look well that's my dumb face but this doesn't really show too much and the funny thing is there's an application added to my page called C-surfer I wonder what that does but C-surfer is reading a token or it's reading a cookie from another app called Pants status Pants status down for maintenance yeah down for maintenance so that doesn't look like too earth shattering and it's really not but it just shows that apps can call other app built-ins it can request data and coming up here pretty soon will show you can actually take the entire code from somebody else's self-contained app copy and paste it into your app and call the same stuff and get the same data back that is bad now if I don't hold the if I don't hold it like this it goes out that's why I'm trying to like look like I'm singing a rock song how about this this okay that's awesome I can't wait to see this video woohoo so the point of this you know a lot of this is that fundamentally it's all in the same domain just by definition so I don't want to see that Jesus so you know there's nothing you can really do about it the cookie is you know associated with api.msappspace.com you know by definition you can you can call anything that these other apps are doing so if they're doing like secret shit I mean it just doesn't work you know so yeah I mean obviously you know we're accessing that cookie we can steal any other functions the apps do they're all in this giant you know sort of Mad Max Beyond Thunderdome land of apps beating the crap out of each other I'll take the one that it actually works hey wow cool so here's an example now we have now we have cool so here is a function call called make request and this is an open social thing and it's using gadgets and it's basically an example of how to construct a get request using the api it defaults to a get if you don't specify a post and here's an example of a post one couple things to note here is the different params you can add to it so you can construct it to look like anything you want to you can add headers and do all those other funky things well and the other thing to point out because there's like the whole like all the cool kids it's like Ruby on fails versus python blah blah blah kind of thing is that you know some people are in the rest you know mindset versus Ajax and so they built everything to take gets or posts so you know if you're C serving and you have some way to get there there's you pretty much can figure out any method you can construct the request is going to get there and somebody specifically enforces the method right yes well with yeah so here's some some more on open social like we already talked about that more the reference yet more on open social no I did not say that that may have came out of my mouth now there's some reference for it now what happens when you do these gets or posts it sends it to something called relay dot proxy and that relay dot proxy goes and grabs whatever information that you requested the funny thing about that is you don't even need to be a developer to send anything to relay dot proxy so I mean did you just now have your own my space anonymous proxy as you can see here just sending it to hex or sending to what is my IP dot com that IP address is the IP address of the server on the my space network my space as open proxy so we thought that was pretty cool so let's talk about some apps capabilities and this is really something if you put it on a social net if you put it on that social net it's available to a developer so they can query anything in a lot of these social nets will actually go beyond that and extend it so so my space has my open space which allows you to do some extra things even on top of open social so pretty much everything you're you're making the developer and that application of friend so anything a friend could do on your page or look at that app can do and a little with a little bit deeper actually and kind of by definition if you gave it to the app odds are the way that literally like 90% of these work unless they do something really really simple is that they're running a web server somewhere and they're sucking down whatever data you have via the app and then sending it to another site well that's another thing too is this has this data has persistence so if you submit data to one of these apps and then you remove the app and then add the app back again your data is still there so anything you provided to an application is probably storing and storing off site send naked pictures of your wife via PGP the email rather than a social net yeah well yeah okay sorry so there's a couple different we've been doing that all day there's a couple different things to note here you can either do it kind of two different ways you can use the API and write code or you can just pipe in an iframe and that becomes important later so let's talk about a little social net app jiu-jitsu attacking social net applications is very trivial I bet you nobody ever would have thought that that could be true a lot of these apps are actually real quick is harmony guy here no if you are like and don't you don't have to raise your hand but like we want to buy you beers so there's a there's a person and actually via social nets I kind of have an idea who they might be who has done a lot of stuff looking at social nets and it's he's really cool because if you read his blog he's like I can't believe that worked you know he's he's like a student and he has opera and opera has like kind of a built in little tamper thingy and so it's like installs and happens let me change that what happens and he's responsible for like the first you know open social you know app that he was able to compromise you know and it was it was 45 minutes after launch you know and and his his old deal he's like I can't believe this works you know so these apps are actually delivered in one of three places for the most part and that's they they have this app called they have this part of the app called the canvas and a lot of a lot of times if it's a game or something you're playing all that will come on the canvas and of course allows developers to put ads and stuff in there on the canvas you also have the profile which is your profile view and then your home view you can you can have a contained app that grabs external content and it's also coded by people who shouldn't be writing code and let's take a look at a few examples what I did when I went through just I thought that we needed some own social network apps for our presentation and I'm like what he kind of went on a rampage for a weekend it was really kind of terrifying so kind of sad at the same time well yeah it shows how I spend my weekends but I looked for anything that said allow secret communication or covert communication communicate secretly with your friends I saw this thing called the keep it real box and it's written by Mar the first hood social app developer and I'm like wow that's great and if you notice P. Diddy is a friend of this application it's a horrible picture and Tia Tequila this is the developers inbox of secret messages that took 30 seconds 30 seconds as long as it took to open an interception proxy and change a param there's no validation of it and another funny thing about that is if that was your information and you're making the assumption that you're communicating securely you're wrong I actually just noticed that the first message in there is I think you sexy now and then oh well I'm sorry oh thanks I think something I'm sorry again this guy's sorry a lot Portland Avenue that's in okay here's another app it's a comma sutra poll imagine what kind of questions they ask here yes reverse cowl girl is on the list of sexual earlier I said Nathan's number one was reverse cowl girl but it is actually spread eagle was the answer to the favorite position and there's 54,000 people I just noticed that I've used this app 54,000 people that use this app and first of all this is dangerous anyway because it shows you people who match your responses this is really much better than an adult friend finder app and actually I just noticed that 1% of all people are like you and I would say it's a true statement yeah 1% so this kind of highlights a problem with social nets a lot of people complain about social networking as being bad for privacy well if you think it's bad for privacy just answering the questions add a few of these applications they're really bad oh by the way these aren't my results these are somebody else's results by the way now let's take a look at an application that's quote unquote properly done in open social so this is a self contained open social app that just sends requests back to a server so it's utilizing signed requests right auth type equals signed actually we don't really know what that does we don't think it does anything apparently it doesn't do anything so if you if you look at what this ended up on this person's page I injected a picture of my face on there and I said most recently kissed by haxer so and here's the request which is kind of funny if you notice if you can read it it says auth type equals signed and then of course you have the from user ID to user ID nothing earth shattering or anything and then of course the link to the image which I couldn't resist putting my face in there so no discussion on this would be complete without talking a little bit about kaha kaha is open social google slash myspace javascript javascript on the short bus yes it's made to take your bad javascript run it through kaha and then make safe javascript we didn't really look at trying to test this because we didn't have to follow it so it's completely opt in so it's like use code code no I don't think I will you know it didn't make any sense because if we were going to write a bad app we just won't use kaha won't use your security features so let's look at a few this app is called Dawser and it's under dating in relationships and it says general kick to the nuts and that is a guy kicking an old man in the nuts really hard we'll send you the phone which is basically what this app does when you install it because it logs you out after 7 seconds and everybody that views your profile out after 7 seconds yeah and like Nathan pointed out it shows up on your home, your profile everywhere else and creates the canvas and does that and these are just again these are just silly proof of concept things that we can do but we obviously we can load it if we're able to use really proxy but any content we want we don't need it we don't need XSS we'll just give you an active X control to download or bad flash or whatever we want to do this app is called C-surfer and I don't think I need to explain what that does but it demonstrates 3 different ways to do C-surf on my space image tags, iframes and meta tags oh my and then of course also demonstrates content on the canvas profile in the home gotcha we made it with 3 minutes ago so here's some of our recommendations and this is usually where people start to get up and leave it's like we don't care how to fix this stuff we just wanted to see what was bad kill external content obviously you can't control what goes off of your site it's just not possible some of the other stuff is reduce API functionality a lot of these APIs allow you to do so many crazy things that you'd never even imagine and the reason that is is because they want to make it as available to every social as possible so if you just created something that was specific to my space that might not hit high five or linked in and actually something about a lot of this stuff that we talked about earlier is that because it's all users who generated content really your whole goal is to get people to come to your site and move in and so if you do anything to restrict them or make it kind of tricky they'll just go somewhere else and so it's very much about just giving them as much functionality as they possibly can have and that's why they end up with a lot of fail on the external content one of the things that I've kind of said for a while is I think a couple of sites will like partner with photo bucket and a couple like other image sites and only let you link the content there I think that's a good idea it sounds pretty reasonable and if you have security models don't make them opt in because opt in always equals fail even like I mean I use no script when I browse the internet and I would say that probably a lot of people here do but not a lot of people out there in the real world do so this is very small it just occurred to me I wonder if we say douche bag or fail more like which one we need like a running tally we need a douche bag and fail counter okay like I said that's a new social network app coming soon fail counter like I said like kind of threat modeling I mean there's a very large silicon valley information security firm that just did a very expensive review of MySpace and we're kind of baffled that they didn't find any of these things because we just kind of got drunk you know that first C-surf was 45 minutes into deciding that we felt like doing it so we had to like boot up and then we had to get on Sean's wireless network which was almost impossible even for having to do it normally even for me yeah it kind of props to late adopters people take their time adding some of this to the people who are jumping on first are the ones that are looking really bad so a couple sites haven't even though they're members of the open social standard that's a smart thing to do yeah developers developers developers or lack thereof the profile lifetime bit members since that would like let you know alright well anyway if you want to talk to us we'll be around please come by ask questions room 106 106 thank you