LAS VEGAS -- Two security professionals studying vulnerabilities in social networks found third-party applications on services such as MySpace and Facebook to be full of flaws, but also found that users' trust was the biggest vulnerability of all.

During a presentation at the Black Hat Security Briefings, consultants Shawn Moyer and Nathan Hamiel showed that regular users, journalists and even some security professionals were likely to trust invitations from profiles that appeared to be well-known people. A LinkedIn page, for example, made to look like it belonged to firewall expert Marcus Ranum -- and created with his permission -- gained more than 50 friends in a day, including Ranum's sister, the duo said.

Such trust is useful in getting people to run untrusted applications, Hamiel said. Instead of exploiting vulnerabilities in third-party applications, attackers can pose as a trusted source and recommend applications that seem cool, but in reality are malicious.

"Rather than spend hours, days or months trying to get Javascript to execute on people's machines, we just asked," Hamiel said.

Last month, antivirus software maker Kaspersky and multimedia tools maker Adobe warned that a purported update to the Flash Player sent to MySpace and Facebook users was actually a Trojan horse. In 2006, MySpace hired a former cybercrime prosecutor to head its security team and make the network safer for teenagers and other users.

Yet, the social networking sites have also added potential dangerous features in the past two year, especially the ability of third parties to create add-on programs. In looking at the apps created for Facebook and MySpace, the researchers found that the programs' code had well-known vulnerabilities. An input-validation flaw allowed them to look at the mailbox of the creator of a third-party application. Another flaw allowed them to access the data behind an application that matches up people based on their preferences in sexual positions.

"These are coded by people who really should not be coding applications," Hamiel said.

Social networking companies have not created a security framework to prevent these attacks, he added. More malicious attacks include an attacker who creates a benign application that, once enough people adopted it, would then be updated to turn the installed base into a large bot net.

If you have tips or insights on this topic, please contact SecurityFocus.