13 seconds ago 2009-12-11T13:35:03-08:00
The takeover of administration rights to a large number of Facebook groups by an organization that calls itself Control Your Info is just one example of the many security issues facing social-networking sites in general and Facebook in particular, according to experts.
Indeed, this nontechnical exploit can be called a benign example of what is at risk if better controls aren't put in place. Control Your Info hijacked almost 300 groups by simply taking over unadministered groups. Dave Amsler, the cofounder and CIO of Foreground Security, said the illegitimate administrators have access to profile information, e-mail addresses and other data that members have provided. He pointed out that credit-card numbers aren't involved.
Hijacker Message
Control Your Info posted this message at those groups:
"Hello, we hereby announce that we have officially hijacked your Facebook group.
"This means we control a certain part of the information about you on Facebook. If we wanted we could make you appear in a bad way which could damage your image severly [sic]."
The group didn't respond to a request for an interview sent to the e-mail address at its web site.
Facebook's press-relations department e-mailed a statement which read in part that "there has been no hacking and there is no confidential information at risk. The groups in question have been abandoned by their previous owners, which means any group member has the option to make themselves an administrator in order to continue communication to the group. Group administrators have no access to private user information and group members can leave a group at any time."
Bigger Problems
The situation is evidence of significant vulnerabilities in Facebook, Amsler said. "The social-networking sites -- Facebook being the most important -- have major security issues," he added. "No one is bothering to secure anything."
He said the company seemed unconcerned when contacted. "We've reported major findings to them and their response is, 'Yeah, we know about it. There is not a whole lot we can do about it.'"
Amsler added that he agrees with the stated aims of Control Your Info -- to call attention to what critics say is an insecure Facebook environment -- but thinks the group acted unethically in hijacking groups. Still, he believes that Facebook probably will make the relatively easy, nontechnical changes necessary to prevent the hijackings.
Facebook defended its practices. "Security is a top priority for Facebook, and we devote significant resources to helping our users protect their accounts and information," according to a spokesperson. "Any assertion to the contrary is false. We think this focus on security is a major reason Facebook was recently named one of the top 10 most trusted companies in an independent survey conducted by TRUSTe and the Ponemon Institute."
Don't Forget Koobface
That doesn't mean Facebook is home free. Ivan Macalintal, a researcher for Trend Micro, said he has been following Koobface, a worm that is unrelated to the Control Your Info situation. While Koobface is aimed at all social-networking sites, perhaps its name -- an anagram of Facebook -- reveals its true target.
It's impossible to say precisely what Koobface does, since it is a delivery mechanism. The actual payload it carries could do such things as steal information or install rouge antivirus programs.
The openness of social-networking sites is running headlong into the need to make sure the sites are safe. "This is just the tip of the iceberg. With social-networking sites, there are much bigger fish to fry," Amsler said. "Facebook, My Space and YouTube have not been performing for the users. There are major vulnerabilities found on those sites, to the point where anybody can have their information completely compromised."
