Mar. 1, 2008

Posted by in Facebook, General | 5 comments

SMUG Facebook Challenge

You may have heard about the $100 hacking challenge issued by social media instructor Lee Aase.  You may have also expected me to take a stab at it.  You may have even thought I would win it.

You’d almost be right.

A friend sent me a link to the challenge the day Lee posted it, and by the next day I had a plan of attack.  I sent Lee an innocuous Facebook message asking him to take a look at a simple application I’d built.  I didn’t lie – I had thrown the app together a few months before, and it hardly does anything.  But I did fail to mention one detail – I inserted some new code before contacting Lee.

The code would grab any available information on his secret group as soon as he access the application.  I’m fairly certain my method did not violate the Facebook TOS, and since Lee issued the challenge, I took that as permission to access his group’s data.  I wasn’t sure if he would accept my technique as meeting the challenge, since it did require action on his part, but figured I’d give it a shot.

As I said, though, it required action on his part, and to my disappointment he didn’t actually install the application prior to shutting down the challenge.  At that point I went ahead and contacted him to let him know what I was up to, and he graciously installed my application to confirm that the trick worked.  In a way, my “hack” was akin to phishing – I was luring Lee to visit a page that seemed harmless, but actually took advantage of his visit.

I didn’t really accomplish that much, but the initial challenge was simply to read the group’s “Recent News” section, and I did pull that off.  Accomplishing the rest of the challenge would have been far more difficult, and I don’t think my little scheme invalidated Lee’s original point about doing business on Facebook.  Lee has posted our conversation of Facebook messages regarding the hacker challenge, so check it out if you want more of the story.

So what’s the point of all this?  One I’ve been trying to make for some time: Social applications are powerful.  An application on Facebook has access to a wide range of data on Facebook users, especially if the application finds a wide audience.  But since applications are third-party code, they essentially run on the honor system.  While the Facebook TOS bars applications from storing most user data, there is not a practical way for Facebook to enforce or even completely audit this requirement.

Does this mean we should no longer use applications on social networking platforms?  Certainly not.  But while I’m not aware of any rogue social applications thus far, I would not be surprised to see them before too long.  I expect the people behind things like phishing scams to move towards using social networking sites.  Once again, the social graph is both the strength and weakness of a social networking site – it enables many great features, but also presents a wealth of data that scammers and hackers will target.

Consequently, social networking sites need to be vigilant in protecting and informing their users.  Developers need to be careful to find and plug holes in their applications that people could exploit.  (If they read this blog, they may get some free help in the finding part. :)  And users need to maintain a healthy skepticism of giving any site or application access to personal information.

Anyway, thanks to Lee for the challenge and the write-up, as well as giving me a good opportunity to highlight another point regarding privacy and security.

  1. Thanks for contributing to my knowledge of security at Facebook and other social networking sites. It’s good to be aware of the potential risks of installing an application, and it does confirm that users should be careful about the applications they install and the legal

    So how about a private blog? Any holes there? That seems to me a good place where you could have even more confidential conversations, since it doesn’t allow installation of widgets that contain javascript or other programming languages.

    I may check out the terms of service and see if I can configure another hacker challenge that would be within bounds.

    But meanwhile, I’d appreciate your thoughts on it.

    Keep up the good educational work.

  2. There’s so many challenge out there right now. And I think we all like it.

  3. Ucef [Current Fbook user] [Major: Network Administrator -CISCO- and Computer technician]

    Completely respecting the hacker on bothe parties for this trial
    i have nothing against this except that we already adapted to the site as a part of our social community and once we cant log to it we feel we really lost something

    but technically and talking about codings and stuff like weddeveloppement and security issues … etc, it rocks, just the kinda techniques id like to learn and follow as a hobby not more, not to hurt anyone… hehe.

    I have left my email here in case i can get any reply to this please.

  4. sorry for the grammar mistakes… been rushed out… now back to work…


  1. Social Hacking » Blog Archive » A Gate for the Walled Garden - [...] Once again, using exportable properties would not threaten a user’s privacy, since it requires “Full Disclosure Opt-in.”  This would ...
  2. Social Hacking » Blog Archive » Proof-of-Concept Malicious Application - [...] many, including this very hacker have been saying for some time, it’s only a matter of time before black ...

Leave a Reply