Vulnerability Allows Anyone to DDoS Websites Using Facebook Servers

  • 25 April 2014
  • 1 reply
  • 1362 views

Userlevel 7
Badge +52
Reading a 'Note' created by anyone on the Facebook could trick you automatically to do malicious attacks against others unknowingly. A security researcher known as chr13 claims that the flaw resides in ‘Notes’ section of the most popular social networking site - Facebook, that could allow anyone to launch the distributed denial-of-service (DDoS) attack of more than 800 Mbps Bandwidth on any website. A Distributed Denial-of-Service (DDoS) attack is one in which multiple compromised systems attacks a single target system or service to make it unavailable to its intended users. The flood of incoming requests essentially forces the target system or service to shut down, thereby denying service to the system to its legitimate users. While demonstrating the vulnerability on his blog, he explained that Facebook allows its users to include tags inside the post in order to draft a note with beautiful related images from any source. Facebook basically downloads external images from the original source for the first time only, and then cache them, but if the image url have dynamic parameters, then Facebook cache mechanism could be bypassed to force the Facebook servers to download all included images each time whenever anybodys open the note in its browser. Full Article

1 reply

Userlevel 7
The following article is a update on Facebook Servers.
 
(Facebook Looks to Boost Server Security With Acquisition of Cybersecurity Startup)
 
By Mike Lennon on August 07, 2014
 
In a move to bolster the security of its massive global server network, Facebook announced on Thursday it was acquiring Palo Alto, California-based cybersecurity startup PrivateCore.
PrivateCore describes that its vCage software transparently secures data in use with full memory encryption for any application, any data, anywhere on standard x86 servers.
More specifically, the company explains:
PrivateCore vCage audits and secures OpenStack servers against persistent malware (rootkits/bootkits) and insider threats. vCage is comprised of two components: vCage Manager and optional vCage Host software. vCage Manager provides validation (referred to as attestation) for OpenStack servers to enable the created of trusted compute pools. Organizations can also deploy vCage Host, a high assurance hypervisor that protects data-in-use with full-memory encryption. Based on the open source Linux Kernel-based Virtual Machine (KVM) hypervisor, vCage host runs existing virtual machine images without modification.
“I’m really excited that Facebook has entered into an agreement to acquire PrivateCore,” Facebook security chief Joe Sullivan wrote in a post to his own Facebook page.
 
SecurityWeek/ Full Article Here/ http://www.securityweek.com/facebook-looks-boost-server-security-acquisition-cybersecurity-startup

Reply