Network News

X My Profile
View More Activity

Researcher: Hackers Hijack Some Facebook Apps

A number of games and other applications built to be used on have been hacked so that users are quietly sent to sites that try to install malicious programs, a security researcher has found.

Roger Thompson, chief research officer for computer security firm AVG, discovered about a half-dozen Facebook games and app home pages had been compromised by attackers. While hacked Facebook profile pages are not uncommon -- thanks largely to threats like the Koobface worm -- Thompson said this was the first time he'd seen actual Facebook applications being hacked.

According to Thompson, the hackers somehow slipped malicious "iframes" -- small, hidden chunks of computer code that invisibly load content from exploit sites -- into each of the Web pages where users would go to use the apps. The exploit sites in turn try to foist malicious software if the visitor is running outdated Adobe products, such as a version of Adobe Reader that is not up-to-date on patches.

Thompson said at the outset, he assumed the apps were created by the attackers, until he had a look at the source code for the app pages, which suggest that the malicious iframes had been injected into the pages after the fact.

A number of the applications Thompson named in his research -- including one called Pass-it-On, and another called City Fire Department -- are no longer available on The placeholder page for the latter currently displays the message: "'City Fire Department' is temporarily unavailable due to an issue with its third-party developer. We are investigating the situation and apologize for any inconvenience.'" Security Fix reached out to but did not hear back from both developers of those applications.

Thompson said the applications were most likely hacked not through any vulnerability in, but through some type of malicious software that infected the application developer's PC.

As I wrote in July's column, PC Infections Often Spread to Web Sites, malware often injects malicious iframes into all available Web page files on a victim's PC, as a means of further spreading the disease:

Specifically, the local malware seeks out saved usernames and passwords in popular FTP clients like CuteFTP and Filezilla and then uses the stolen information to upload modified code to the web server. This leads to a frustrating cycle for the unsuspecting website owner, who discovers bad code on his/her site, fixes the problem, and then finds the site infected again a day or two later.

Facebook spokesman Simon Axton said the social network reacted quickly to the news of compromised apps on its servers.

"This was a low volume attack affecting a small number of applications with relatively few users," Axton said in a statement e-mailed to Security Fix. "However, we take all reports of malicious activity seriously and quickly placed a moratorium on the applications yesterday afternoon making them unavailable. We also contacted the developers to notify them of the issue so they can fix it. We won't make the applications available again until the problem has been resolved."

Attacks like this are a good reminder of how important it is to update third-party software with the latest security patches. For example, on Tuesday, Adobe released a new version of Adobe Acrobat and its free PDF Reader application that fixes at least 29 security vulnerabilities in the programs, including one that already is being exploited by attackers.

By Brian Krebs  |  October 15, 2009; 5:10 PM ET
Categories:  Latest Warnings , Safety Tips , Web Fraud 2.0  | Tags: avg, facebook, hacked apps  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Mozilla: Firefox Users, Check Your Plug-ins
Next: PayChoice Suffers Another Data Breach


Hey Brian, is this related to the bugs on Facebook all week? Three different error messages while logging in? Repeated elimination and then resurrection of the friends list? Inability to post to your own wall (You need to be logged in to do that!) Inability to post comments to other people's posts (Database error!)?

"For the moment" it seems to be resolved but this was days of frustration, and just because it is working now, doesn't mean it will be working 10 minutes from now.

Posted by: skp76476 | October 17, 2009 7:56 PM | Report abuse

Some security researchers actually did a whole month of bugs in Facebook apps. You should check it out:

There are lots of serious issues with Facebook apps!

Posted by: gofish12 | October 20, 2009 2:32 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company