

Hacked Facebook Apps used IFrames to Force Malicious Software on Users - suprgeek
http://www.readwriteweb.com/archives/how_safe_are_facebook_applications.php

======
robotrout
> Thompson found that the iframes had been injected into the apps' code due to
> infected software on the developers' PCs.

So, he's saying that somebody created a virus that looks for html files on a
harddrive, so it can inject iframes into them, in the hopes that the person is
a developer that will upload them to the web?

That seems like a lot of work for a pretty tiny probability event. It must
have been something they just threw in as a feature on another virus.

~~~
spudlyo
If I were an evil hacker mastermind, I would definitely analyze the hard
drives of all the computers in my botnet, trying to profile who I had
ensnared. Maybe certain library and header files are a telltale sign of a
Facebook developer.

------
axod
"If they download and execute the file, they will infect their computer with
Koobface"

Don't download stuff and execute it? Can't really blame anyone but the users.
It'd be nice if browsers made more hoops for users to jump through to execute
things they downloaded. I like the fact on OSX it warns you that the prog
you're about to open was downloaded from the net.

~~~
fnid
I went to my aunt's house once and she was distraught because there was a pop
up on her screen that said she had a virus and needed to click here to clean
her computer.

I said, "Don't click that, it's fake." And she looked at me shocked. I said,
"It's a popup malware thing from the website. It's not real!"

She said, "How do you know? How do you know what is real and what isn't?"

Man, that really hit me, not just in the virus case, but metaphysically. How
do we know what is real? I had to really think about it. How did I know that
popup was fake, but she didn't? How could I teach her to know the difference?

It really made me aware that computer skills are a gift. Some people have them
and some don't. People just _know_ what is going on.

For many of us here, knowing the difference between what is real and what is
fake on the computer is fairly easy. Is it also that easy in real life? Do you
know when that business man is lying to you? Do you know when some investment
is a bad deal or a startup is a scam?

Don't be so hard on the users.

~~~
axod
Sure. I get what you're saying. It's not a simple matter. I was just meaning
it's in no way facebooks fault, and not much facebook can do about these sort
of scams.

I think everything will be a lot better once the average user doesn't have the
ability to run executables. All they have is a browser, which in a large
number of cases is all they need.

~~~
fnid
I'm not sure it's valid to say Facebook can't do anything. They did take
infected apps down. That's one thing. They could have an approval and
monitoring process to protect their users.

People blame Microsoft all the time for viruses and being an unstable
platform, which is mostly due to bad software running _on_ windows than it is
windows itself. Sure you could say they could improve their scheduling or
compartmentalization of apps, etc.

My point is that Facebook is the medium and they can do something. Apple does
something with the app store.

I am biased though. I don't have a lot of sympathy for facebook or their
users. I don't have a fb account and don't really care to, but that's beside
the point. Facebook is the vector for the vector and they _can_ do something
and have done some things already. They could do more.

Why don't they? because any restrictions slow growth and that's all the care
about. They don't care about the individual users, they care about the graph.

~~~
axod
>> "Why don't they? because any restrictions slow growth and that's all the
care about. They don't care about the individual users, they care about the
graph."

I think that's pretty bizarre. I seriously doubt they're purposely not
removing apps that try to get the user to download executable code, in order
to grow their userbase faster.

~~~
fnid
I didn't say they purposely weren't _removing_ apps to promote growth. I'm
saying they aren't doing other things to avoid _inhibiting_ growth. Things
like a review process, monitoring, etc.

