Updated Sept. 8 with National Geographic saying the app is not sanctioned by them.
Researchers have created a proof-of-concept application for Facebook that turned the machines of people who added the app to their Facebook page into elements of a botnet that in a demonstration launched denial-of-service attacks on a victim server.
"Social Network Web sites have the ideal properties to become attack platforms," according to a paper entitled "Antisocial Networks:Turning a Social Network into a Botnet," that was authored by five researchers from the Institute of Computer Science in Greece and one from the Institute for Infocomm Research in Singapore.
The demo application, called "Photo of the Day," displays a new photo from National Geographic every day. However, every time someone views the photo, the host computer is forced "to serve a request of 600 Kbytes," according to the paper.
A National Geographic spokeswoman said the app is not sanctioned by her company.
Such a botnet could be used for other types of attacks, such as spreading malware, scanning computers for open ports, and overriding authentication mechanisms that are based on cookies, the paper warned.
The researchers suggested that Facebook and other social networks be careful in designing their platform and application programming interfaces (APIs) so that there are few interactions between the "social utilities they operate and the rest of the Internet."
In addition, the apps pose privacy risks as well because of the access they have to the data of the people who add the apps to their pages, the paper says.
Similar privacy and security concerns have been raised by others after previous third-party apps have been found to have security holes in Facebook.
Facebook representatives did not return e-mails seeking comment.