Sunday, February 15, 2009

Facebook Throttling Rate of New Friends

Take a look at this CNN TechNews article on Facebook Friend padding.

This article has apparently nothing to do with AppSec. However, this paragraph caught my eye:

"After (Facebook User Zorn) had sent 180 friend requests in less than an hour, an automated note from Facebook popped up on his screen warning him to stop or he’d be kicked off the site."

I think is a excellent defensive coding technique from Facebook. A defensive technique like this would have stopped the MySpace SAMY XSS worm. Samy's worm esentially added friends to his profile so fast and frequently that it took down the global myspace cluster. This friend-adding “throttling” feature could have stopped or slowed down that attack.

This feature is a wise move that will not disturb the vast majority of users. Go Facebook for your appSec excellence!

3 comments:

Michael Coates said...

This kind of defensive thinking is exactly what our applications need.

There is a normal use of the application, there's usage which may be excessive, and then there is down right irregularity that is malicious.

Detecting excessive anomalous user activity or malicious attacks from the user should generate a system alert and an automated response. These are exactly the types of issues we're tackling in the OWASP AppSensor project. Check it out if you're interested.

-Michael

Ofer Shezaf said...

I think that insufficient anti automation is fast becoming a major web application security issue.

According to the Web Hacking Incidents database which I run, "insufficient anti-automation" is fast becoming one of the two major threats to web applications. You can find some noteworthy insufficient anti automation incidents at http://www.xiom.com/whid-list/Automation.

However not all anti automation issues are reported as such at WHID, for example brute force attacks which are essentially also insufficient anti automation are usually classified as authentication issues.

Jim Manico said...

Ofer, I think your comment is brilliant - to the point where the topic you are discussing is being considered for the next OWASP Top Ten.