Protect Yourself on Facebook
Love them or hate them; social networking sites are here to
stay. And your users are going to find ways to use them from
home, from work, from smart phones, from shared computers,
or from anywhere else they care to.
The whipped cream is out of the can. Now what can we do
about it?
Like so many millions of others, I’ve found Facebook and
Twitter in the last few months, in addition to the more
traditional professional networking sites I’ve used for
years, like LinkedIn. But what started as idle curiosity
soon grew into addiction.
Yes, my name is Ken and I’m addicted to…
But gosh darn it, they’re fun! I’ve re-connected with many
old friends, and I like knowing what they’ve done with their
lives. OK, we’re not likely to become best friends again,
but I still value that connection we’ve made again.
So, how secure are these sites?
I’ve experienced several classic Web security issues in each
of the sites I frequent, and without a doubt there remain
many vulnerabilities to be discovered. But that hasn’t
stopped me from using them.
Like any decision involving risk, I’ve studied the issues,
minimized my own exposure, and I’m getting on with what I
care to do.
Let’s start by looking at the issues briefly
Web apps:
Well, for starters, they are Web applications, and as such
they’re potentially vulnerable to a plethora of issues, from
the OWASP Top-10 and beyond – and yes, there are far more
than 10.
And don’t think for a moment that all web application
vulnerabilities solely place the application at risk. Many
also put the app’s users at risk: cross-site scripting (XSS),
cross-site request forgery (CSRF), and others can be used to
attack the users quite easily.
As a user of a social networking site, you’re placing your
(and your employer’s) data at risk.
Active content:
Long-time readers of this column (hi Mom!) have heard me
talk about the dangers of active content many times.
Javascript, Java applets, Flash, ActiveX, and many others
are all examples of active content. And guess what? Every
popular social networking site in existence – or at least
with a significant population of users – absolutely requires
active content in order for the site to function.
The bottom line: by allowing active content into your
browser, you are trusting someone else’s code to run on your
computer safely. Well, what’s the big deal? We do that all
the time. Well, now the code is dynamic and maintained
somewhere else, and you’re trusting it every time. Gulp!
Domain of trust:
Some of the HTML, Javascript, etc., that arrives in your
browser comes from (say) Facebook. Fair enough, if you’re
going to use Facebook, you’ll need to trust that content.
But your browser isn’t so discerning. Some of the stuff that
comes into it while you’re on Facebook might be provided by
someone else: another Facebook user; an attacker; a third
party application on Facebook. If your browser trusts
Facebook, chances are it’s also going to trust that code.
This extends the active content exposure pretty
substantially.
User-supplied content:
Users put all sorts of content into their own profiles. URLs
pointing to cool sites, photos, etc. If they link to
something dangerous—perhaps inadvertently—and you click on
it… Well, you get the drift.
Third party applications:
Most of the popular social networking sites have a
third-party application interface for companies to generate
their own content. Most of it is pretty innocuous and in the
spirit of good clean fun, like a little app that lets you
“throw” a virtual snowball at someone else. But, again, it
extends that trust boundary in ways you might not want.