Forgot your password?
typodupeerror
Facebook Java Security The Internet

Facebook Hacks Points To Much Bigger Threat For Mobile Developers 59

Posted by samzenpus
from the protect-ya-neck dept.
DavidGilbert99 writes "Facebook admitted last weekend that it was hacked but assured everyone that no data was compromised. However following some investigation by security firm F-Secure, it seems this could be just the tip of the iceberg and that thousands of mobile app developers without the dedicated security team Facebook has in place could already be compromised. The vector for the attack was a mobile developer's website, and the malware used likely targeted Apple's Mac OS X rather than Windows."
This discussion has been archived. No new comments can be posted.

Facebook Hacks Points To Much Bigger Threat For Mobile Developers

Comments Filter:
  • Not just mobile (Score:5, Informative)

    by schneidafunk (795759) on Monday February 18, 2013 @01:39PM (#42937551)
    This exploit was through Java. It was on a mobile app development site, which made it more likely to be installed by a developer of mobile apps, but it certainly isn't limited to just mobile developers.
    • If you are developing in java, certainly.
      • Re:Yes (Score:5, Funny)

        by WebManWalking (1225366) on Monday February 18, 2013 @02:05PM (#42937807)
        I develop in Java, but I don't have applets enabled in my general web browsing.

        OMG. Are you saying that there are developers who use only one browser for everything?
      • by Anonymous Coward

        I develop in Java, but it's all server-side. Most of the Java developers I know of are either server-side or mobile.

        Unless you're actually developing applets, why would you want them enabled?

      • As someone who developed Java for a few years, I never enabled applets. No one really develops applets.
  • Curious (Score:5, Insightful)

    by koan (80826) on Monday February 18, 2013 @01:47PM (#42937629)

    "Facebook admitted last weekend that it was hacked but assured everyone that no data was compromised"

    Can a hacker really compromise user data any more than the user that freely gave it away?

    • Re:Curious (Score:5, Insightful)

      by wbr1 (2538558) on Monday February 18, 2013 @02:51PM (#42938213)

      "Facebook admitted last weekend that it was hacked but assured everyone that no data was compromised"

      Can a hacker really compromise user data any more than the user that freely gave it away?

      By hacked, facebook means, freely given user data was stolen without our tithe.

  • I'm an iOS developer, and frequent some development websites - but none I go to use Java. Does anyone know what site is affected? It seems like that would be REALLY useful to know to know if you were potentially impacted.

    It's a good thing macs ship without Java by default now, that probably protected a lot of people.

    • by Synerg1y (2169962)

      If it's in the news, you can probably assume that the treat's been neutralized, however, the advice is to check your source if you've visited a mobile dev. site in the past couple of months, which on your profession would be everybody. However, interestingly enough I can't seem to find any mention of specific mobile dev sites. Do check your hosts file though for rouge entries.

      • however, the advice is to check your source if you've visited a mobile dev. site in the past couple of months,

        That's kind of bad advice though. It covers way too many people.

        I don't even have Java installed so I don't need to check anything, as far as this story goes... but it would be really good to know what site EXACTLY was the cause of the problem so we'd know to look out for other ways the site may have been exploited if we visit. I mean, is every mobile developer on the planet now supposed to change

      • by Anonymous Coward on Monday February 18, 2013 @02:18PM (#42937915)

        Do check your hosts file though for rouge entries.

        The mauve and pastel entries are usually legit though!

      • Do check your hosts file though for rouge entries.

        This is another thing that just doesn't add up. Lets say I did have Java installed, and visited this rogue site. Ok then, how did my hosts file get changed? I don't have permission to write to it, no developer is going to visit a web page and then type in a password into a "webpage would like full access to your system" box.

        To me it seems way more likely that it's not just any developer at risk, but that it was a very targeted attack on small groups of de

        • Ok then, how did my hosts file get changed?

          Privilege escalation, arbitrary code execution.

          I don't have permission to write to it, no developer is going to visit a web page and then type in a password into a "webpage would like full access to your system" box.

          That point is moot if the exploit doesn't require any interaction.

          • by SuperKendall (25149) on Monday February 18, 2013 @04:07PM (#42938807)

            Privilege escalation, arbitrary code execution.

            But now you aren't talking Java exploit. You are talking an OSX exploit too. Not impossible, it's just not mentioned at all. It would imply a flaw in OS X that we'd very much like to know about also, yet it's not discussed.

            That's the all-around problem, the reporting is incredibly shoddy. Is it just Android developers at risk? Just IOS developers? All Mac users because of a new OS X privilege exploit? We are all in the dark with the article as it was, to the point where we can't tell anything.

            • by Synerg1y (2169962)

              You folks realize that the JVM or any anything of that nature is going to require execute right?

              Why's this significant you ask? Cause once the JVM's been exploited an attacker can run just about anything the JVM can, probably through the jvm itself.

              • You folks realize that the JVM or any anything of that nature is going to require execute right?/eM.

                Yes, we ALL know that.

                But it doesn't matter for what I was saying. I don't have write access to /etc/hosts, therefore neither does Java in a browser (or anywhere else I run it).

                Yes it can do anything else in my home directory but I was warned to "check my hosts file". But why, when the only exploit mentioned is Java and that does not have permission (without an OS X exploit) to modify /etc/hosts.

                • by Synerg1y (2169962)

                  That's the thing with slashdot articles, they refer to it as a JAVA exploit... so in the world of security there is no 1 magic key master king exploit that does everything in one step. Things happen in series: Java gets exploited, access to the system is gained: and then something else is run to escalate privilege or gain access to an account, or simply report information. So via the Java exploit, "payloads" get delivered, which can do things like write to the hosts file. Consider how a lot of scareware

  • If you are writing mobile software, you need to grasp the shortcomings of the platforms. Reading Hacking & securing iOS Applications [barnesandnoble.com] was eye opening - and how many devs read it?

    Security concerns within Android are even worse. How many know to layer on security beyond what is offered out of the box? Many developers are standardizing on SQLCipher, but what happens when that is the "standard" and becomes a larger target?

    Before reading Hacking & securing iOS Applications, the vulnerabilities were
    • by gl4ss (559668) on Monday February 18, 2013 @02:07PM (#42937821) Homepage Journal

      If you are writing mobile software, you need to grasp the shortcomings of the platforms. Reading Hacking & securing iOS Applications [barnesandnoble.com] was eye opening - and how many devs read it?

      Security concerns within Android are even worse. How many know to layer on security beyond what is offered out of the box? Many developers are standardizing on SQLCipher, but what happens when that is the "standard" and becomes a larger target?

      Before reading Hacking & securing iOS Applications, the vulnerabilities were all sort of known to me, but the book sort of scared me into digging deeper and further securing my products.

      huh, wtf you're smoking? any app you give away to be run in users computers is suspect to the user modifying it. ain't no platform security that works out there. so that book is one big pile of snake oil(of course securing the communications between you and the user to some degree is important.. but you shouldn't blindly trust that information that the client is sending). it's kind of useless to encrypt the "registered or not" db you're using when the key is there in the program. of course platforms have varying degrees of difficulty for people to hack(j2me and non-ndk android being on the easier side, of course).

      but the basic idea that you could just trust the client to keep iap information etc secure is just.. stupid. same goes for pc drm of course and this is why diablo and the new sim city are moving game logic into the servers so what the user has becomes just dumbed down client, so hacking it doesn't give access to the sweets.

      • by hsmith (818216)
        Most developers aren't experts in security, that is the point. Most haven't invested the time learning how to secure software. Most told "build us a mobile App" don't quite grasp all the security ramifications that go along with it.

        huh, wtf you're smoking?

        has no relevance to what I wrote

  • by gl4ss (559668) on Monday February 18, 2013 @01:59PM (#42937759) Homepage Journal

    Can't be that hard to tell! sure it might screw the site over 34023 over but fuck... could just post it.

    without the site name this is just f-secure doing what it usually does - astroturfing! I mean there's literally NO NEW INFORMATION. ok, perhaps it's new information that it was java that was used as applet that was used as attack vector.

    • Astroturfing was the word that occurred to me too. I almost submitted it as a tag, in fact. Or maybe slashvertizement (however that's spelled).

      It's like those news website articles with misleading title (or question as title) hotlinks to entice you to visit the article. The more page hits, the more advertizing sold. Only in this case, they're trying to generate hits on F-Secure's website. If that's your intent, you cannot give away information up front. It would defeat the purpose.

      I suppose it helps t
      • by gl4ss (559668)

        I suppose it helps to get angry at them (if they hear about your anger somehow). It lets them know that their teasing technique isn't building the sort of goodwill that could result in a customer, at least not in those who see through it.

        well their target isn't really people who decide this stuff anymore, on their own anyways, but guys who work at companies and isp's and who decide which product they should bundle(not users that is) with their offering.

        on and off (depending on year) their sw is harder to remove than malware too.. but this reeks of them trying to advertise their mac product..

  • After years of facebook hate. I finally surrendered and created an account. (Only because not having one is starting to look strange.)
    Hours of fighting, cursing, and seriously elevated blood pressure later I was signed up and had found one relative. It was probably not a hack, just me trying to find a way to add someone without giving facebook my email credentials.
    Facebook can have access to my email when they pry the credentials from my cold dead hands!
    • Re:My bad. (Score:4, Interesting)

      by GeorgieBoy (6120) on Monday February 18, 2013 @02:12PM (#42937853) Homepage

      In the next several years, it might be weird to _still_ have a Facebook account. Just like an AOL email, myspace account...

      I left FB in 2009 and haven't looked back.

      • I always though FB was just pointless. But a friend of mine was applying for a job, and they wanted to see her facebook page. "I don't have one.", was not an acceptable answer.
        This was for a highly paid job in a position of significant trust. I can understand their reasoning. Hiring someone to a position like that you would want to make sure that their FB would not become a cause of embarrassment later.
        Note they asked to see her facebook, not for her login, or password.
        • by TheP4st (1164315)

          a friend of mine was applying for a job, and they wanted to see her facebook page. "I don't have one.", was not an acceptable answer.

          This was for a highly paid job in a position of significant trust. I can understand their reasoning.

          I can't.

          It is not like it is unheard of people not having a FB account, not even outside the basement dweller circle. If they do not accept as an answer that you do not have an FB account then already at that point the "position of significant trust" have collapsed.

          • It must be nice to live in your black and white world. There are far too many shades of grey in my world.
            Right or wrong, the fact is that it looks odd if you are applying for a technical job and you don't have a facebook presence.
            If my 72 year old mother has a facebook account then EVERYONE has an account.
        • by vux984 (928602)

          Hiring someone to a position like that you would want to make sure that their FB would not become a cause of embarrassment later.

          Then you would think "I find their handling of user privacy to fall well short of my expectations and I find using it an overall time consuming distraction from more important things in my life. Furthermore, as I am applying for a position of significant trust my choice not to maintain a facebook page eliminates the possibility of it ever being a cause of personal or professional

        • I always though FB was just pointless.

          Obviously you are not a thirteen year old school-girl with no friends. That is the target audience for FB. Nerds come here instead.

      • Do you use another social networking site, or do you simply not partake in relationships online at all?

        • I did not use any "social networking" site. What did I need that for? I have a phone in my pocket with all my real friends phone numbers stored in it.
          • I have a phone in my pocket with all my real friends phone numbers stored in it.

            So what are you doing here then? Picture or it didn't happen!

    • by Anonymous Coward
      It took you hours to sign up and find a relative on facebook?
    • You seriously don't have a single friend on Teh Facebook? It may be difficult to find a particular person on FB, but to find a reasonable number of acquaintances usually isn't that hard unless you hang out exclusively with FB deniers. It's been so long since I signed up, I can't remember who my first FB "friends" were, but it wasn't hard to find a dozen or so people I knew.

      I've had my email address for so long (easily 15+ with the same personal address, almost 10 with my work address) that it's basically p

  • MACS DO NOT BELONG IN THE WORKPLACE! Besides being incompatible with everything in the entire universe, they are a targeted attack waiting to happen. They're like SCADA controllers if SCADA controllers had a following of obsessed fan who know very little about technology and never listen to reason about their products.

Facts are stubborn, but statistics are more pliable.

Working...