At one point or another I think I’ve been a part of almost every social networking site I’m even aware of. I really hate them, let me just tell you. Loath is a better word. Loath. Anyway. Here I am on LinkedIn loathing life, but one of my previous co-workers and I were making a game out of who could get the most contacts. Don’t ask me why, I really don’t know. At first I was playing fair, and then at one point that he started pulling ahead I resorted to adding my email address to the title so that people could add me at will. That’s not super interesting. But then it occured to me as I started getting requests from my co-workers, this is extremely game-able.

Personally, I’m not going to go messing around on LinkedIn, because most of the people I am networked to happen to actually know me and know it was me who was messing with them (and it’s not really my style anyway) but it’s a very real problem. You can send personalized requests to millions of users (spam).

“Yes, RSnake, but how?” Well, at one point I used to work for a company that was bought by a company and that company was bought by another company and that company was bought by another company. So it’s very difficult to figure out who you worked with because people left at various stages of the four companies, so you have to add yourself as having worked at all four companies to find everyone. But wait, why can’t I add… ANY company? I can!

So let’s say I want to make chummy chummy with a bunch of Google folks? It’s just a matter of saying I worked there at some point and adding enough people before people start adding you back. Free access to work email addresses of every major company! And the best part is I don’t have to say I continued to work there, I can then delete the fact that I pretended like I worked there and move on to the next company. Ouch.

This is clearly not LinkedIn’s idea behind this function. They don’t make money when you spam their users, and if you do, people will start abandoning the site right and left (meaning that would be one less site for me to visit every few weeks when I get one more peice of mail from someone adding me or asking me to get in contact with someone else - wouldn’t that be terrible)? So how would you detect something like this if you are architecting your own website? It’s a session variable that leaks too much information about it’s users that allows you to get in contact with them much easier than you would be able to normally.

I’m not aware of a web application scanner on earth that would find something so strange, but indeed, if you want to start spamming someone directly, or issuing targeted viruses/worms to mega companies, this is a perfect conduit for finding people in these huge companies, and targeting them directly. Remember our JavaScript scanner? “Hey, Joe, check out my new company, I just went to, I’d appreciate any feedback you could give since I know this is your area of expertise.” Even if they don’t know you, 9 out of 10 times they’ll click, and you’re in.

Social networking can lead to corporate security compromise. In the information age, social networking feels like one of the largest holes in online security.

This entry was posted on Tuesday, August 15th, 2006 at 3:59 pm and is filed under Webappsec, spam. You can leave a response as well.