Opportunities for mischief abound as users place intimate details of their lives on profile pages and install mini-applications made by strangers that don’t always have their privacy at heart.
In a trend pioneered with tremendous success by Facebook, social networking websites have opened their operating platforms to let outside developers craft fun, hip, or functional software "widgets" that can be added to profile pages.
Malicious code can be hidden in such applications, computer security specialists Nathan Hamiel and Shawn Moyer said at a premier Black Hat conference in Las Vegas.
"I can’t necessarily attack Facebook or MySpace, but I can attack their users all day long," Moyer told AFP. "Don’t put anything on a Facebook account that you don’t consider public."
People are prone to place faith in social networking widgets and links from friends, said Idea Information Security consultant Nathan Hamiel.
"People are going nuts adding applications they don’t need," Hamiel told AFP.
"Every time they do that they are showing an implicit trust in whoever wrote the application, and most people don’t know who that is."
Hamiel and Moyer showed peers software capable of plundering profile information, swiping people’s "friends," or locking people out of their own MySpace pages.
A pair of MySpace engineers who attended the demonstration said that hacks are known risks in today’s social platforms and that they had Hamiel’s application deleted by the end of the talk.
Fake postings on comment boards advising people to update software are ways to trick social network users into downloading malicious software that can commandeer control of machines, Hamiel said.
"Social networks really don’t care if you get pawned or not," Hamiel said, using slang referring to a computer user being dominated and humiliated by hackers.
"People know if they go on a computer and download a program they could get a virus. They don’t have the same view of how dangerous that can be on a social networking site."
Hackers can write seemingly legitimate widgets that "go rogue" after spreading to enough social network members, according to Hamiel.
"It is not a problem with a particular site," Hamiel said. "It is a problem with social networking in general."
Even if tainted applications are deleted, the odds are that the data from profile pages was already copied onto an outside computer, according to Hamiel and Moyer.
"MySpace and Facebook have no control over my servers," Hamiel said. "Once the content is moved from their site they have no control over that."
Those thinking that they will stay safe by not having social networking pages may still vulnerable to trouble, according to the security specialists.
Another ruse is to create social networking profiles for people using information mined from the Internet and then for the imposters to send out "friends requests."
Those that take the bait give open doors to the private data in their profiles.
"We think you should make a profile for yourself before somebody else does," Moyer said. "Just don’t put anything there that you don’t consider public. And trust, but verify when people want to be your friend."