So Many Ways to Slap A Yo-Ho:: Xploiting Yoville and Facebook for Fun and Profit

DEF CON 18

Presented by: strace
Date: Sunday August 01, 2010
Time: 15:00 - 15:50
Location: Royale 2-3-4
Track: Track 1

Maybe you've played YoVille because your spouse or relative got you into it. Maybe its your overt obsession or secret delight. If you haven't heard of YoVille, well, its got at least 5 Million active users connected directly with Facebook.This talk explores the Web 2.0 pandora's box that is the trust relationship between YoVille and Facebook.

For many, YoVille is fiercely competitive in a hyper-decorative way, it has its own intricate economics, and yes, tempers can flare when you get rooked by a Scammer. You will meet people you want to pimp slap-really hard-and this talk will show you how. Send a school teacher who you don't like a "Jeffrey Dahmer Snack Plate with fingers and toes".Don't like that History Professor? Send him a Burning Cross that lets him know he is welcome in the neighborhood.

Want to show off for that special someone? You can grant yourself "The YoVille Sexiest Man (or Babe) award.and have it prominently displayed on your Facebook wall for everyone to see, rickrolling anyone who clicks on it..

Or you can embrace the dark side,,,

Imagine a cute "trojan" Puppy that takes over your system when you click to adopt it? Yes, it can be done -- and its going on right now. Post that payload on Facebook or to the YoFeed and mass root everyone who who clicks on it? This talk will show you hoe it is done, as well as recorded examples of actual attacks.

On a more serious tone, when you Click "Accept" and allow YoVille to access Facebook, you introduce a cornucopia of attack vectors for spreading malware within the user population. The origin, authenticity, and integrity of almost any message shared from YoVille can be subverted. If the receiving application trusts that message is safe, it becomes a broadcast for widening the attack.

I will show how a blackhat can use YoVille to spread destructive malware. Anything that updates the Facebook wall or sends a user a hyperlink is susceptible.

These problems are not unique to YoVille and Facebook -- this is clearly the tip of a very enormous iceberg. So embrace your dark-side for an hour of YoVillany, and remember:

Never click on "candy" from strangers.

The types of attacks we will demonstrate were collected in the wild, by watching the activities of a Philippine hacker group and then reverse engineering their attacks in our own lab. The real attacks ranged from using YoVille to Spam facebook user walls with ads selling discount meds, as well as spoofed YoVille events or collectibles that pointed to shotgun attacks against the browser.

strace

strace Bio to come


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats