Researcher: Hackers Hijack Some Facebook Apps

A number of games and other applications built to be used on Facebook.com have been hacked so that users are quietly sent to sites that try to install malicious programs, a security researcher has found. Roger Thompson, chief research officer for computer security firm AVG, discovered about a half-dozen Facebook games and app home pages had been compromised by attackers. While hacked Facebook profile pages are not uncommon -- thanks largely to threats like the Koobface worm -- Thompson said this was the first time he'd seen actual Facebook applications being hacked. According to Thompson, the hackers somehow slipped malicious "iframes" -- small, hidden chunks of computer code that invisibly load content from exploit sites -- into each of the Facebook.com Web pages where users would go to use the apps. The exploit sites in turn try to foist malicious software if the visitor is running outdated Adobe products, such as a version of Adobe Reader that is not up-to-date on patches. Thompson said at the outset, he assumed the apps were created by the attackers, until he had a look at the source code for the app pages, which suggest that the malicious iframes had been injected into the pages after the fact. A number of the applications Thompson named in his research -- including one called Pass-it-On, and another called City Fire Department -- are no longer available on Facebook.com. The placeholder page for the latter currently displays the message: "'City Fire Department' is temporarily unavailable due to an issue with its third-party developer. We are investigating the situation and apologize for any inconvenience.'" Security Fix reached out to but did not hear back from both developers of those applications. Thompson said the applications were most likely hacked not through any vulnerability in Facebook.com, but through some type of malicious software that infected the application developer's PC. As I wrote in July's column, PC Infections Often Spread to Web Sites, malware often injects malicious iframes into all available Web page files on a victim's PC, as a means of further spreading the disease: Specifically, the local malware seeks out saved usernames and passwords in popular FTP clients like CuteFTP and Filezilla and then uses the stolen information to upload modified code to the web server. This leads to a frustrating cycle for the unsuspecting website owner, who discovers bad code on his/her site, fixes the problem, and then finds the site infected again a day or two later. Facebook spokesman Simon Axton said the social network reacted quickly to the news of compromised apps on its servers. "This was a low volume attack affecting a small number of applications with relatively few users," Axton said in a statement e-mailed to Security Fix. "However, we take all reports of malicious activity seriously and quickly placed a moratorium on the applications yesterday afternoon making them unavailable. We also contacted the developers to notify them of the issue so they can fix it. We won't make the applications available again until the problem has been resolved." Attacks like this are a good reminder of how important it is to update third-party software with the latest security patches. For example, on Tuesday, Adobe released a new version of Adobe Acrobat and its free PDF Reader application that fixes at least 29 security vulnerabilities in the programs, including one that already is being exploited by attackers.