The "sophisticated attack" on Facebook revealed last week could indicate a much larger threat to mobile developers according to one security expert.
Sean Sullivan, security advisor at Finnish security company F-Secure has examined the attack on Facebook drawing some worrying conclusions for mobile app developers who may be the target of similar attacks in coming days, weeks and months.
Sullivan believes that far from being a problem for Facebook, this attacks points to a much larger problem for mobile app developers whose systems could easily be compromised resulting in thousands if not millions of apps being compromised.
Facebook's announcement of the hack on Friday evening last was low on specifics but claimed the attackers were "sophisticated" and didn't just target Facebook, but "it is clear that others were attacked and infiltrated recently as well."
Twitter made a similar announcement on 1 February following 250,000 of its accounts being compromised, also calling the attacks "sophisticated" and warning that other "companies and organisations" had been similarly attacked.
The attack vector was a mobile developer's website which a number of Facebook engineers visited on their laptops, with malware being downloaded in the background and infecting the machines.
Facebook did admit that the exploit used took advantage of a zero-day vulnerability in Java, but Sullivan had a more interesting question to ask: "What malware on what type of laptop?"
The reason Sullivan asked what type of laptop was because most developers at Facebook are known to use Apple's MacBook laptops for their work. Indeed a cover photo for Facebook's Security Team (below) shows a couple of engineers at Facebook using a MacBook Pro.
The reason this is so important is that many Mac users believe they are not vulnerable to malware as the vast majority of it targets Windows PCs.
Addressing the type of malware which could have been downloaded to the Facebook engineer's laptops, Sullivan says F-Secure received new Mac malware samples to analyse late on Friday night, hours after the Facebook hack was announced.
These samples were uploaded to VirusTotal, a free online virus and malware scanner, on 31 January which was the day before Twitter was hacked and 250,000 of its accounts compromised.
While Twitter didn't admit publically that the hack also used a Java exploit, the company's Director of Information Security recommended disabling Java's browser plug-in on the same day as the attack.
Among the URLs used by the samples include a misspelling of Apple Corp; something that sounds like a digital consulting company; and something that pretends to be a cloud storage service.
"There's a Mac threat out there and most Mac users are completely unaware of it. They have a false sense of security," Sullivan says on the News from the Labs blog.
However, Sullivan believes the problem is even worse than this.
According to Facebook itself, the site which hosted the Java exploit was a mobile developer website which Sullivan believes indicates a "watering-hole attack targeting mobile application developers."
"Watering-hole attacks" involves the compromise of legitimate websites specific to a geographic area which the attacker believes will be visited by end users who belong to the organisation(s) they wish to penetrate.
In this case, the website of a legitimate mobile developer was targeted, with the attackers knowing the people they were really targeting (Facebook, Twitter etc) would sooner or later come to visit the site, allowing them to infect the computers of these organisations.
This type of attack allows hackers to infiltrate systems otherwise closed off to them as Facebook's own security would spot a straight forward attack.
However, as Sullivan points out, not all Silicon Valley start-ups can afford to have dedicated security teams in place like Twitter and Facebook who will spot such an attack. Sullivan believes the Facebook attack could point to a much, much bigger problem:
"There are hundreds of thousands if not millions of mobile apps in the world. How many of the apps' developers do you think have visited a mobile developer website recently? With a Mac... and a very false sense of security?"
When you consider that a mobile app like WhatsApp has over 100 million users on Android alone, it is clear that an attack vector like this could mean that hundred, if not thousands of apps in Android and iOS app stores could be compromised.
Sullivan has this advice for mobile app developers:
"Any developer who has Java enabled in his browser, has visited mobile developer websites in the last couple of months, and finds evidence his computer is compromised - probably should use his source code versioning system to check recent commits."