Watch your website — and this time, you have bigger threats than viral videos or suspected porn.
Hackers can apparently exploit vulnerabilities in Facebook and Google to perform distributed denial-of-service (DDoS) attacks on target websites — and neither Internet giant seems overly concerned, according to the developer that alerted the two companies to the problems.
"Both of the problems are quite serious for two reasons: 1) the ease in which the attacks can be executed and 2) the huge traffic volume these kinds of attacks can potentially generate.
The traffic would be very troublesome for most websites. Both Facebook and Google individually are close to Gigabits per second, maybe more. Combining them would be even more devastating," Chaman Thapa told CMSWire.
Thapa, "a software enthusiast who loves programming and solving problems," detailed the problems he uncovered with both sites on A Programmer's Blog and the DEFCON Hacking Page on Facebook. He claims Google Spreadsheets and Facebook Notes can be used to "DDoS any website."
And neither Facebook nor Google are arguing that Thapa is wrong.
The warning comes just weeks after hackers used a novel technique to get thousands of online video viewers to unwittingly bombard a B2B website with junk traffic. Incapsula, a web security firm, said the attack resulted from a persistent cross-site scripting (XSS) vulnerability on one of the biggest and most popular video sites on the web.
Last week, Incapsula co-founder Marc Gaffan refuted popular misconceptions that the site in question was either Youtube.com or Xvideo.com. Rather, he announced, it was Sohu.com, China’s eighth largest website and the 27th most visited website in the world.
"Sohu was exploited in such a way that its visitors were herded into becoming a giant botnet that was used to attack others and the volume of attackers made hard to defend against," Gaffan told CMSWire.
With the Facebook and Google bugs, an attacker does not have to wait for end-users to visit the Notes or Spreadsheet. As Chaman explained:
The attacker is hiding behind Facebook and Google’s bandwidth to do a traffic amplification attack. So an attacker will be generating a 20 Mbps load on Facebook, but that in return will consume the bandwidth at the rate of several hundred Mbps on the target side. There is no need to use any social engineering tactics to lure people to click on Notes, but if one does then the attack may be even more devastating as more Facebook servers that are geographically spread might then be involved in the attack."
While the technical details are different, they are equally worrisome to brands and companies that could become potential victims of the hacks.
'It's Not a Bug'
Chaman reported the vulnerabilities to both Facebook and Google. Both companies have bug bounty problems, which reward security researchers for warning about potential threats. Both companies thanked him for his interest, but denied the issues were really "bugs."