Following on from my previous post about the good things open source can do I thought it only fair to point out that its not all good. The corner stone of the open source movement openness. Releasing API’s to allow other people to interact with your application or allowing them to modify things directly (as in the Wiki model). This can be a good thing, opening your project up to outside influences like this allows thousands of minds out side your group to introduce interesting and creative features, things that you wouldn’t normally come up with on your own. There are some truly creative minds out there and its not always easy to ensure that that’s what you get inside the boundaries of your project.
Allowing other to interact with your code though can also be a source of the problem. Once in a while out of all these creative and helpful people who will interact with your project and better it, you would encounter someone with less than honourable intentions. This article on IT World points out how bad things could be when one of these people turn your project to their use. In this particular case it was only an experiement but it illustrates the point quite well.
Basically a research team created a bogus Facebook app called Photo of the Day. This app appears to puts up a new National Geographic photo each day, however what the users of this app don’t see is that everytime one of the photos is clicked on a 600 KB http request for images is sent to a victim website for images the user never sees. A 600 KB request might not seem to bad at first, but as the article points out, this app got to around 1,000 users pretty quickly without any advertising.
With the app uploaded to Facebook the developers monitored traffice on a web site they set up for it to point to. What they found is rather startling:
If those traffic figures were applied to Facebook applications that have a million or more users, they estimated a victim’s Web site could be bombarded by as much as 23 M bits per second of traffic, or 248 G bytes of unwanted data per day.
Essentially an application could be used to flood a victims web site with enough data request to produce a denial of service attack. Of course, thats not the only way this bogus app (facebot) could be used. It could easily be altered to scan for open ports on a certain host or grab someones personal details since Facebook apps usualy have access to the user’s personal information.
While the thought might be rather worrying, its not time to batten down the hatches and ditch Facebook just yet! As the article points out misuse such as this could easily be prevented by limiting the apps are allowed to intereact with the established project. The API’s should be created with the intention not to allow too much interaction with the rest of the internet. Hopefully people will follow the advice.