More About Security Risks in Social Network Sites
Given the current popularity of social networking sites, this particular posting is not likely to be one of the more popular ones that I have written. But I feel compelled to write more about the security risks associated with these sites because of a recent incident that a good friend of mine experienced. I received an email message from him earlier today in which he informed me as well as others that information about him that was recently spread on Facebook was completely untrue. An update from his account claimed that he was stuck in London, England and could not get home because he had no money. The update asked readers to transfer money to a certain bank account so that he could get home. What ostensibly occurred was that a fraudster broke into his account by guessing his password, then created and sent the update that others and I received.
Fortunately, it appears that no one fell for the perpetrator’s scheme, but they could easily have succumbed to it. My friend’s rapid detection of the scam and retraction of the update almost certainly saved the day. Had the perpetrator actually changed my friend’s password, things would have almost certainly been more complicated, but fortunately for him, his password was not changed. (Hopefully, by now he has changed it.)
Perpetrating fraud, misuse, and other dire deeds in social networking sites can require considerable sophistication, but usually it does not. Breaking into accounts is in fact downright easy because of the tendency for users to choose lousy passwords and a lack of security controls at social networking sites. Once someone has broken into an account, the perpetrator can do anything that the legitimate user can, as apparently happened in the case of my friend. But the perpetrator can do much more, too, if s/he wants. One option is to create a bogus profile for a friend of the user whose account is now compromised by uploading the friend’s picture. The perpetrator can then insert any information into this profile and then invite others to “Add a friend.” The invitees would see a new request; anyone who accepts the invitation and confirms it will now be exposing their personal information to the perpetrator. The fact that in general no authentication for inviting others to “Add a friend” other than the weak authentication procedure initially required for logging into an account makes accepting invitations a much higher risk proposition than it should otherwise be. The fact that a photo appears with the invitation only makes things worse in that it provides a level of false assurance that the invitation is legitimate.
The lack of security controls in social networking sites is perfectly understandable—requiring users to do something that is somewhat difficult is likely to cause users to turn instead to another social networking site that makes fewer security-related demands on them. The potential result is a loss of membership that corresponds to decreased revenue. However, the owners of these sites are walking on eggshells, so to speak. Consider the following very recent events:
• Twitter was taken out by a distributed denial of service (DDoS) attack.
• A Twitter account has been used in connection with a botnet—botnet commands were issued from the account. .
• Spyware designed to steal Facebook users’ information has been discovered.
• Cross site scripting vulnerabilities have been discovered in Facebook.
• Twitter accounts were used to send Spam.
Going back not all that far, you might remember that a Facebook worm infected many accounts and also that a vindictive mother of a teenage girl used MySpace to torment a 13-year old former friend of her daughter to the point that the former friend committed suicide. In failing to deploy adequate security and privacy measures, Facebook, MySpace and Twitter are opening themselves up to Pandora’s box. It’s just a matter of time until a flood of lawsuits and cancelled accounts occurs. As almost always, nobody seems to get information security right until the pain becomes great, and social networking sites are not likely to be an exception to this rule.