Facebook faces the music
I just got finished reading a lengthy article about Facebook in New York Magazine - easily my favorite magazine in the whole world, well, aside from SC Magazine - and, like I figured, it failed to touch on any of the information security risks of the popular social-networking site.
That’s not to say the story overlooked the privacy ramifications of the site. In fact, much of the article revolved around the inarguable fact that Mark Zuckerberg and his cronies are amassing huge amounts of data on you - you gotta be on Facebook, right? - and tens of millions of your friends all over the world (even if they promise to protect it while you’re here and get rid of it if you decide to leave).
But I’m not here to debate this point, although it seems as if Facebook is making a good faith effort to satiate privacy advocates. The problem with Facebook, and other burgeoning social networking sites like Twitter, is that we get all caught up in this data privacy issue and never talk much about the insecurity of web applications - and how that can be a really bad thing.
We saw it over the weekend, up close and personal, when an attention-seeking teenager from Brooklyn (aren’t they all, really?) devised a cross-site scripting worm that was able to cut across Twitter and infect -albeit benignly - a vast number of profiles.
But what if this attack were more profit-driven? What if the worm spread links to a more malicious website than it did? What if the code asked the user to divulge personal information?
Sites such as Facebook and Twitter have a lot on their minds, mainly figuring out how to monetise their insane popularity. (It’s harder than it seems; nobody wants to pay for anything on the internet.)
But amid their revenue-generating boardroom meetings, they must stop for at least a few minutes to show users their committment to code security and recognise their place as a pioneer in the web’s revolution. Pretty soon, everyone is going to be doing something at least somewhat similar to Facebook and Twitter.
As a blog post on the Gnucitizen think tank said soon after the Twitter attack:
There is no merit in discussing how this has been done and for what purposes but this incident is yet another proof that the attack landscape is rapidly changing and moving towards web enabled infrastructures and the client-side. Soon or later almost every website will be equipped with social capabilities (google’s own opensocial and friendconnect platforms) and than simple persistent XSS attacks will turn into quite nasty problems.
John Pescatore of Gartner was a tad more terse in his “Twelve Word Tuesday” blog post:
Malware just taught Twitter the lesson Microsoft learned in 2001: security matters.
We’re looking up to you Facebook, Twitter, MySpace, etc. Please don’t let us down.