Nathan Hamiel (right) and Shawn Moyer (left) love social sites from MySpace to Facebook. But at the Defcon and Black Hat security conferences this year, they gave talks about how easy it is to compromise web sites that accept user-generated content.
The arms race to aggregate content into social sites is leading to a “broader attack surface.” Virus creators know they can get a better payoff if they exploit social networking to help spread their wares.
The two security researchers are no strangers to the topic. Last year, they gave a talk about hacking MySpace and called it “Satan is on my friends list.” They found that user-generated content introduced a whole set of security concerns because it brings in content from third parties who may or may not be reliable. One way to exploit user-generated content sites is with cross-site request forgery, which gets around authentication methods.
This year, they introduced MonkeyFist, a tool that automates the process of doing cross-site request forgeries. In other words, you still can’t trust your friends list.
June 5th: The AI Audit in NYC
Join us next week in NYC to engage with top executive leaders, delving into strategies for auditing AI models to ensure fairness, optimal performance, and ethical compliance across diverse organizations. Secure your attendance for this exclusive invite-only event.
Nathan Hamiel and Shawn Moyer on hacking Web 2.0 from Dean Takahashi on Vimeo.
