Dan Griffin's Blog
Comments on security, PKI, smart cards, cryptography, and entrepreneurship.
Blog - Facebook Security
September 9, 2007
Been doing some research lately into this interesting social networking experiment called "Facebook". Maybe you’ve heard of it …?
Somewhat seriously, I think I’ve been remiss by not becoming more familiar with sites such as facebook and myspace, primarily because they raise tons of privacy and security questions. Questions on those topics are already being publicly debated, which is a good thing.
However, regarding facebook specifically, one topic that doesn’t seem to be getting much attention is security from an integration and software development perspective. Third party applications are proliferating like nobody’s business! Each such app - and they integrate tightly with facebook - is likely to have a different privacy and usage model, and each is granted access to a great deal of user information which is then stored … somewhere.
On one hand, it’s all well and good for technically savvy people to say that net users shouldn’t put any information online that they don’t consider to be public. And that, therefore, if that data happens to be stolen from some data center, no big deal since it’s public anyway, right? But I’ll wager that the majority of online users either don’t think that way, or at least don’t consider what the aggregate of all readily availble information about them could imply. I mean, if a bad guy can get a database of all of the shared data for 10,000 facebook users, wouldn’t that be a convenient springboard for him to launch other attacks - phishing, indentity theft?
Links for current dialog on this subject:
* When users first join facebook, they are prompted for the their email account passwords. Facebook will then login to the user’s email account and upload all of their contacts. This happens by default! Awesome. See http://elronsviewfromtheedge.wordpress.com/2007/04/13/the-modern-facebook-of-security/.
* JavaScript holes that have reportedly been patched - http://ajaxian.com/archives/facebook-javascript-and-security.* This looks like such an urban legend, but here’s a story about a student who’s facebook data came back to bite him during a job interview -
http://www.lsus.edu/career/announcements_details.asp?ID=43.
* Facebook recently leaked some PHP source code, although references to it appear to have been removed from all domestic web sites on account of legal DMCA notices. That apparently doesn’t work outside of the good old US of A, though - http://fenikss.yeahost.com/?p=61.
* Facebook recently exposed supposedly private user inboxes - http://www.theregister.co.uk/2007/07/31/facebook/.
Permalink |No Comments »
No comments yet.
RSS feed for comments on this post. TrackBack URL
