Everybody agree about social networking sites become a main part in our life. In the past we used different sites for emails, chatting, news, entertainment etc, but thanks to social networking sites we could do these activities now in a single site.
Social networking site user creates his/her account, published contents and communicates with other parties without any problem. Like any other application in the internet, the user needs to trust a third party and in this situation is the social networking site itself.
What happen if these sites don't provide enough security for users? They can be a source of personal information leaks and also a malware attack vector which is the exploitation of programming flaws in websites when these sites are not used cautiously.
Social networking sites have been made by humans and they can have errors that could compromise the site’s security measures. This has happened in a number of times to well-known social networking sites and will likely happen again in the future.
In these occurrences, all users are at risk. Poorly thought-out security, weak administration practices, or badly written code can all help an attacker to gather your data or to stage a bigger attack against any number of users.
Some web sites do not have privacy controls in place, or the ones they have do not protect all user data. Also many users simply do not bother to configure these controls because of laziness or lack of knowledge. This means that whether by the site’s design or by outsider attacker, user content could be under any type of security threat.
There are a lot of stories about famous social networking sites that had been under security attacks and here are some of these stories:
In Pinterest, a cross-site scripting (XSS) vulnerability and an iframe injection issue had been identified that could allow hackers to hijack user accounts and perform other malicious operations. It had been found a URL redirection flaw that could be leveraged to redirect the site’s visitors to other potentially malicious domains.
There have been instances of security flaws on Facebook that allowed anybody to access the “basic information” data of any user, no matter what their security settings were. This attack was released by casual users after Facebook ignored the users’ warnings for a few days. No great knowledge was needed in this case to exploit a security weakness.
Twitter has had “cross-site scripting” attacks performed against it. In these cases, the attackers could change the Twitter status of any user accessing the attacker’s account. This meant that the bad guys could make you tweet bad links so your Twitter followers would be at risk of being infected.
MySpace was attacked in 2007 by a JavaScript that would copy itself to the viewer’s profile along with a piece of text—“Samy is my hero.” This was caused by a security flaw that could have caused the victim to run any other command like redirecting the page to a malicious website. Thankfully, the young man who discovered the flaw and created the worm only wanted to have more friends added to his profile.
These four stories are not the only cases of security flaws on social networking sites, but in fact such flaws are identified frequently. News about such security holes are released every month and are a concern for all affected web-sites and their users. Since their solution is out of the user’s hands, it is difficult or impossible to do anything about them.
Social networking sites keep adding to their security controls and refining their existing ones but as in any development project, they also continue to innovate on their platforms and add exciting new features. These new options need to keep up with the security features or they too will suffer from security weaknesses.
For the previous reasons, social networking sites need to keep updating their security mechanisms and measures to detect, prevent, or recover from a security attack.
References
1.http://news.softpedia.com/news/Multiple-Vulnerabilities-Found-in-Pinterest-Exclusive-255797.shtml
2.http://www.dailymail.co.uk/news/article-1197562/MI6-chief-blows-cover-wifes-Facebook-account-revealsfamily-holidays-showbiz-friends-links-David-Irving.html
3.http://www.onrec.com/newsstories/17612.asp
4.http://www.scmagazineus.com/Facebook-bloggers-reveal-way-to-peek-at-private-profiles/article/138867/
5.http://blogs.computerworld.com/twitter_stalkdaily_mikeyy_xss_worm
6.http://www.betanews.com/article/CrossSite-Scripting-Worm-Hits-MySpace/1129232391
Social networking site user creates his/her account, published contents and communicates with other parties without any problem. Like any other application in the internet, the user needs to trust a third party and in this situation is the social networking site itself.
What happen if these sites don't provide enough security for users? They can be a source of personal information leaks and also a malware attack vector which is the exploitation of programming flaws in websites when these sites are not used cautiously.
Social networking sites have been made by humans and they can have errors that could compromise the site’s security measures. This has happened in a number of times to well-known social networking sites and will likely happen again in the future.
In these occurrences, all users are at risk. Poorly thought-out security, weak administration practices, or badly written code can all help an attacker to gather your data or to stage a bigger attack against any number of users.
Some web sites do not have privacy controls in place, or the ones they have do not protect all user data. Also many users simply do not bother to configure these controls because of laziness or lack of knowledge. This means that whether by the site’s design or by outsider attacker, user content could be under any type of security threat.
There are a lot of stories about famous social networking sites that had been under security attacks and here are some of these stories:
In Pinterest, a cross-site scripting (XSS) vulnerability and an iframe injection issue had been identified that could allow hackers to hijack user accounts and perform other malicious operations. It had been found a URL redirection flaw that could be leveraged to redirect the site’s visitors to other potentially malicious domains.
There have been instances of security flaws on Facebook that allowed anybody to access the “basic information” data of any user, no matter what their security settings were. This attack was released by casual users after Facebook ignored the users’ warnings for a few days. No great knowledge was needed in this case to exploit a security weakness.
Twitter has had “cross-site scripting” attacks performed against it. In these cases, the attackers could change the Twitter status of any user accessing the attacker’s account. This meant that the bad guys could make you tweet bad links so your Twitter followers would be at risk of being infected.
MySpace was attacked in 2007 by a JavaScript that would copy itself to the viewer’s profile along with a piece of text—“Samy is my hero.” This was caused by a security flaw that could have caused the victim to run any other command like redirecting the page to a malicious website. Thankfully, the young man who discovered the flaw and created the worm only wanted to have more friends added to his profile.
These four stories are not the only cases of security flaws on social networking sites, but in fact such flaws are identified frequently. News about such security holes are released every month and are a concern for all affected web-sites and their users. Since their solution is out of the user’s hands, it is difficult or impossible to do anything about them.
Social networking sites keep adding to their security controls and refining their existing ones but as in any development project, they also continue to innovate on their platforms and add exciting new features. These new options need to keep up with the security features or they too will suffer from security weaknesses.
For the previous reasons, social networking sites need to keep updating their security mechanisms and measures to detect, prevent, or recover from a security attack.
References
1.http://news.softpedia.com/news/Multiple-Vulnerabilities-Found-in-Pinterest-Exclusive-255797.shtml
2.http://www.dailymail.co.uk/news/article-1197562/MI6-chief-blows-cover-wifes-Facebook-account-revealsfamily-holidays-showbiz-friends-links-David-Irving.html
3.http://www.onrec.com/newsstories/17612.asp
4.http://www.scmagazineus.com/Facebook-bloggers-reveal-way-to-peek-at-private-profiles/article/138867/
5.http://blogs.computerworld.com/twitter_stalkdaily_mikeyy_xss_worm
6.http://www.betanews.com/article/CrossSite-Scripting-Worm-Hits-MySpace/1129232391