Facebook’s URL Scanner Is Vulnerable to Cloaking Attacks

Members of a hacking think-tank called Blackhat Academy claim that Facebook's URL scanning systems can beryllium tricked into thinking malicious pages are clean by using simple pleased cloaking techniques.

Such attacks demand Web pages filtering unstylish requests that come from specific clients and feeding them content that is different from what is displayed to regular users.

Attackers have been using this method to poison search results on Google for years now by service of process keyword-occupied pages to its indexing automaton, but redirecting visitors to malware when they click happening the links. However, information technology turns kayoed that Facebook is also vulnerable to this type of content forging. "Hatter," one of the Blackhat Academy members, provided a live demonstration, which involved notice the URL to a JPEG file along a wall.

Facebook crawled the URL and added a thumbnail image to the wall post, however, clicking on its proportionate link actually redirected users to YouTube. This happened because the address page was able to identify Facebook's underivative bespeak and served a JPEG file.

"While most major sites that permit link submission are vulnerable to this method, sites including Websense, Google+ and Facebook make the requests well identifiable," the Blackhat Academy hackers said.

"These sites send an initial request to the link in order to store a mirror thumbnail of the paradigm, Oregon a snap of the website being linked to. In doing so, many use a custom user agent, or wealthy person IP addresses that resoluteness to a consistent domain name," they explained.

Earlier this hebdomad, Facebook signed a partnership with Websense to use the security trafficker's cloud-based, real-time Entanglement image scanner for malicious Uniform resource locator detection. Blackhat Academy has now provided proof-of-concept code, which, according to its advisory, put up beryllium wont to short-circuit it.

Websense doesn't believe that to be the case. "This is nada new. We use many methodologies and systems to ensure that our analytic thinking of content (in real time) is not manipulated away malware authors, including using IP addresses not attributable to Websense so that malware authors are unaware that IT is Websense analyzing the content," the company said.

"Also, the Websense ThreatSeeker Network is fed via an opt-in feedback loop from tens of thousands of customers distributed globally. These IPs are too not attributable to Websense.com. IT is because of technologies like this that Facebook chose Websense to leave protection for their growing user base of more than 750 million users," information technology added.

That could well be true, but it's worth keeping in mind that Websense primarily sells security solutions to businesses and Facebook is usually blocked on many corporate networks. It would be logical to take for granted that relying on its customers' appliances to read URLs on the social networking site might not have an immediate impingement.

Hatter says that As a security research outfit Blackhat Academy follows obligated disclosure and notified Facebook of the content cloaking issue at the end of July. Despite this, the method still works.

"We're well aware of the content forgery technique represented and have built protections into our systems to calculate for it," a Facebook spokesman said via email.

"The content returned when we cringe a shared nexus is only single of many signals we use to combat spam and abuse on Facebook. We know that this content can switch between visits, and thus can't always be trusted, and our systems account for that," he added.

Earlier this year, Facebook signed a partnership with Web of Trust (WOT), an organization that maintains a community-driven spam Uniform resource locator block list. However, it's healthy-best-known that blacklisting is non very efficient and there can embody a significant windowpane of exposure between the time when a URL starts being spammed and the time when IT's flagged aside such a organization.

At the very least, content cloaking crapper be a powerful social engine room technique. A link with a .jpg termination accompanied away a thumbnail keister look harmless enough to magic a lot of users into clicking on it.

Facebook and Websense are not the lonesome ones with this trouble. Google+ and Digg are also compromising to cloaking attacks, but other sites much as Twitter have developed strong protections against them.

Source: https://www.pcworld.com/article/477190/facebooks_url_scanner_is_vulnerable_to_cloaking_attacks.html

Posted by: knowleswerefurser56.blogspot.com