Social Book Marking - A Spyware Makers Dream?
In the last two years according to their wiki entry, Digg.com has over one million unique visitors per day on their website. In case you’re unaware of Digg, and social book marking in general perhaps you should start with Digg’s How Stuff Works page. Recently I submitted two different applications that made it to the front page of Digg. Both of them were quick apps to make things easier for Digg users. Of course instantly, there were hundreds of downloads. Now my software is legit, as well as open source. But what if it wasn’t? What happens when a spyware maker sneaks in his malware into a legit like social book marking app, or even any piece of software in general? Well let’s take a previous event that happened on MySpace not too long ago. Basically Zango released MySpace profiles with videos embedded on it. These videos had a license agreement, which when accepted would install spyware on your PC. Most users would just assume that this is a trusted pop-up from MySpace. However these agreements had absolutely nothing to do with MySpace, and were from known adware makers. If you care to read more about it here is the article.
With social book marking we have a similar situation. User generated content is hitting the front page of a website that gets 1 million unique hits per day. Starting to see the trouble now? Say I had malicious intent to infect people’s computers. Well submitting two pieces of software to Digg could infect tens of thousands of people. The fact is while Digg is a reputable site, what it links to is never sure to be a legitimate website. But what can you do? There are dozens of social book marking sites such as Digg, Reddit and del.icio.us, all of them reputable websites. However each of them equally share this risk, and have the potential to serve spyware to thousands. One might argue that a lot of these users are technically advanced compared to MySpace users. Or that they use alternative operating system such as Linux or a Mac. However I don’t feel the need to run a virus checker, as it just wastes CPU usage. I myself would most likely run an application on the front page of a social book marking site. After all something with hundreds of people approving has to be legit right? Sadly…wrong. With such a high percentage of the technology based social websites users being Linux users, it would be the absolute perfect time to release a Linux application laced with malicious code as well. An Open source app on the front page of a popular site doesn’t justify running an unknown program. Ever. Putting an unknown link on a popular website, is eventually doomed for failure. It’s really not a matter of if it will happen, it’s a matter of when. Spyware makers will always be taking advantage of people. I would be surprised if any of them would turn down being on the front page of a website with a million hits a day. From now on I will definitely be using some form of virus checker to double check nothing malicious is embedded. My personal favorite is this online malware scanner.
An interesting and valid point, however in the case of Digg, I would guess that it would be picked up on rather quickly and the story “buried” by diggers, possibly even reported and removed by the Digg staff.
Not only would they bury the post and remove it off the main page, but the diggers will go after the person who uploaded the spyware and find out every bit of information possible about them and post it for everyone else to see. If that person really caused some damage with their software they will feel the wrath of the diggers.
Here’s a flashback to what happened to an ecommerce site that tried to be bad last year: techdirt.c...32_F.shtml
Good point. That would be a way to rapidly deploy malicious software. If you use a PC it is vital that you use Virus, spyware and a firewall these days. Otherwise just getting on the internet puts you at risk.
Yes, Digg is an influential website with lots of traffic. But it also has content filters - all the people who have to digg up a story to get it to the front page. Contrast that with a national newspaper site, for example, where you only have to convince one journalist who probably won’t try the software, and Digg has more safeguards than many sites with similar traffic.
It’s a bit of a generalisation, but most spyware seems to be bundled with crappy applications. It’s fresh software ideas that get the Diggers’ attention and make it to the front page. Anyone capable of making something worthy of the front page is likely to have more pride in their code than to let it out with spyware in it.
Also, users of Digg tend to be advanced computer users, and are likely to take precautions before installing software. I was shocked to see that you’d install software off the internet without scanning it. Never a good idea.
Regarding the risk, it’s far more likely that somebody would try to get a website that exploits a browser vulnerability on to the front page of Digg. Website content is a much cheaper investment than software development and it’s open to a much wider audience (you can write about anything, and it’s platform independent for getting the diggs if not spreading the infection).