02 May 2011

Exploiting trust as an attack vector in social media

Earlier today I posted a tweet:
bin Laden autopsy video: http://bit.ly/iXcSQ2 #obl
By now it should be obvious that there is no such video. I did it as a very short and simple experiment in exploiting trust. The news of Osama bin Laden's death has caused traffic to skyrocket on the Internet, and people want to learn anything they can about it.  So I chose "autopsy video" although I could have "posted" a link to a video from the raid, the sea burial of his body, or any of a dozen other things. I also didn't take into account the timing of the tweet (to reach a broader audience), so again, just keeping it simple.

As you could tell if you followed the link above, it's just a message on my blog:
There is no bin Laden autopsy video here, but there could have been malware, and then you'd be pwned. You really shouldn't click on such links. :-)
I linked to my blog because I wanted to track the hits, and they came in fast and furious. In barely two hours, it was re-tweeted a dozen times and I counted over 150 unique hits (that's well beyond what I see on a "normal" day even if I've posted a blog entry).  Most of my followers are security-conscious folks. Most people got my point (for example, see here), a few didn't understand my point at all, and a few thought it was "cheap" because it was from a trusted source.  And it's true: presumably, if you're a follower of mine, you'd place some measure of trust in the content I publish. On the other hand, this is precisely the point I am aiming at: trusted sources can be exploited, they're much more effective than a "random" source, and they're incredibly difficult to defend against. If someone were to hijack my Twitter account, they gain access to my Twitter data (which may or may not be all that valuable), but more importantly they gain access to trust in which my followers place in me.  This is hugely important.

This experiment may or may not be "cheap," but if you clicked on the link, you could potentially have been pwned, cheap or not.  In this sense, "cheap" is just another word for "not fair."  The attacker obviously doesn't care about playing fair, nor does he care what you think about his methods; only that he wins.
Post a Comment