Computer researchers built a tool that demonstrates how hackers could silently turn Facebook users into a powerful zombie army that can attack other websites or scout for vulnerable sites on the net.

All that is necessary to create the Facebook Botnet is to have users choose install a rogue Facebook application written by an outside developer – in this case, one called Photo of the Day.

Once the user chooses to install the application, the unsuspecting user is inducted into the hacker's army and unknowingly follows orders any time he or she logs into Facebook.

Facebook downplayed the attack, saying that any developer that could figure out how to make a successful application would make money other ways.

The researchers – mostly affiliated with the Greece-based Institute of Computer Science – describe their innovation in a paper (.pdf) as a demonstration of an "anti-social network" – essentially a hijacked social network that can be used for a number of nefarious purposes.

Their demo attack was very simple and surprisingly effective. They created an application that displayed a new National Geographic photo daily on a user's Facebook page – though the app was not approved of by National Geographic.

But in the background, the application is also downloading three large photos from a targeted site. But the user's browser never displays the images. Any application with enough users will then act like a denial of service attack flooding the chosen website with requests for data. The user stops being a part of the attack after logging out, but joins again every time he returns.

But Facebook spokesman Barry Schnitt disputes the economics of the attack.

"As a practical matter, it is not that easy to get an application with millions of users," Schnitt said. "Why wouldn't you get venture capital or make money with ad rather than use it to take down a website?"

The researchers chose to point the hidden attack at their own server, of course – but were surprised that more than 1,000 Facebook users installed the application, even though they only mentioned it to friends.

That led to a peak of 300 requests per hour and on its peak day, the traffic went above 6 Mbits per second.

That's an impressive number for an application with only 1,000 users, using only the most basic attack.

A much more sophisticated attack could be launched using a bit of JavaScript, and if that were married to an application such as Super Wall that has millions of daily users, one would likely have the worlds' most powerful botnet.

Now, coders who control a really popular social networking app aren't likely to jeopardize their oil well for a prank, but it would not be hard for a slightly popular application to become rogue without anyone ever knowing or being able to figure out it was happening.

Facebook does not monitor each application's source code, but does talk with developers of the most popular applications and monitors the site to look for anomalies, according to Schnitt.

This post was updated to include Facebook's respone and to add that National Geographic has no relationship to the research project.

Hat Tip: Dark Reading's Kelly Jackson Higgins via Ryan Naraine.

See Also: