In a recent article, Social networks face user content risks, Web application vulnerabilities, Robert Westervelt of SearchSecurity.com predicts that third-party applications used on some of the more popular social networks could become the next avenue of attack for cybercriminals and malicious attackers.
To draw users in, many social network provide application program interfaces that make it easier to create apps that can be run from a user’s profile page on the network. Apparently, it is working. As social networks strive to provide their members with the latest flashy widget, they rush to approve applications that can be created by people whose coding experience runs from expert to amateur at best.
Providing these development tools to their users is a great way to promote not only their network, but programming in general. However, one of the biggest problems the software industry faces is security vulnerabilities caused by a rush to market. As this poses a major problem when professional programmers are used, imagine how dangerous releasing applications to the public that were written by programmers who have not gone through any quality control checks to make sure their product is not vulnerable to common exploits.
On one hand, it is easy to say that it is up to the social network itself to weed out any potentially insecure applications before they are made public. However, even in the strictest environments this is impossible. Take a look at Apple’s iPhone app store. By far they have one of the most comprehensive testing environments for apps that they release, however Nicholas Seriot proved just recently that even the App Store’s rigid set of requirements can be tricked by encrypting the payload or making some runtime changes to a malicious application.
Bringing up Seriot’s findings calls to question one area that this article did not address, the number of third-party apps that make their way into other software used by businesses every day. As IT professionals, we are constantly looking for ways to enhance the way we do business with the help of technology. To build upon existing tools, like WordPress or Content Management Systems, plug-ins, components, modules, etc. are often installed because of the promises they make. Little thought, if any, goes into researching what processes these applications have gone through to insure they are secure.
As more business has moved to the web, the need to share data and content has never been greater. Using API’s, we are able to create mashups to share basically anything we need between web applications. We can embed presentations from SlideShare, commentary from Twitter, and videos from YouTube onto our sites in an effortless fashion. While we may be under the impression that we are building a reputation by providing content, how much thought goes into the possibility that we are embedding malicious code along with it?
So where does that leave us? Should we abandon our smart phones and cancel our LinkedIn and Facebook accounts? Should we strip our web sites of all interactive features and mashups? Not at all, but it does mean that as consumers and professionals, we should be smart about what we put our trust in. Before we install anything, make sure we know what it does and who created it. Before we post anything, look at the code that drives it. Before we sign up for anything, make sure that the people who created it take security seriously and have taken every opportunity available to secure our personal and sensitive information.