The Black Hat security conference session this morning, “Satan is on Your Friend’s List,” about attacking social networks was hilarious, even though the implications of it are very serious for social network users and the companies that are building giant companies based upon them.

MySpace was the target today. But as the speakers pointed out, they picked it because it uses the OpenSocial platform and has the most complete list of features that will become standard in other networks. The basic problem with social networking security is that companies are having an awful time protecting personal data on a network that is meant to be open, said Nathan Hamiel, security consultant at Idea Information Security and associate professor at the University of Advancing Technology. His talk partner was Shawn Moyer, a security researcher at FishNet Security.

“Social networks have millions of users and so they’ve become a great attack platform,” said Hamiel.

As the two researchers staged mock attacks against MySpace from faux accounts, they found vulnerabilities that they wondered if they should disclose. It turned out in many cases that the information was already published as part of the applications programming interfaces, or APIs, that are available to partners who develop applications for the social network.

“Just because they’re open doesn’t mean that it can’t be secure,” Hamiel said in an interview. “Open source networks are often more secure.”

One attack that they chronicled should be scary to all MySpace users. They showed how they could redirect a user to a malicious site that could give a hacker access to personal data in the inboxes or private photos on a user’s MySpace account. The attack works like this. The attacker posts a comment on a user’s MySpace page. Embedded within it is an invisible image which links to an external site outside of MySpace. The link can compromise the user’s account in a variety of ways. It can add a friend to a user’s account that the user never intended to accept. The researchers also showed how the same trick could be used to create a comment on a user’s page that could never be deleted.

“If you link to crap off site, you can have epic fail,” Hamiel said.

MySpace’s security staff deleted some of the fake accounts Hamiel and Moyer used (only because one of the tests generated a lot of traffic). But the researchers, who noted that they had “benign payloads,” showed videos which showed how the attack worked in practice. MySpace hasn’t yet responded to a request for comment; their security experts attended the talk. The researchers also showed how easy it was to create a fake Linkedin account for one of their mutual friends (it took about three hours to build and then a day to recruit 50 friends), as well as a fake Twitter account. Those accounts can be used to befriend others and deceive them into granting access to personal information.

The researchers expressed more concern about the quality of code being created by third-party application developers who are creating software that runs on top of Facebook or MySpace. They showed how they could find out how people answered questions about their favorite sexual positions on a “Kamasutra Poll” on MySpace.

One of the problems is that people still tend to trust their social networks and the applications on them, even though they are no more secure than emails that come from out of the blue, Moyer said. That is evidenced by people, even in the security and government circles, who are “link whores,” or users who will befriend just about anybody. Hacking social networks yields much better results if they combine “social engineering” (deception based on the assumptions people make, such as