Facebook, Twitter fail latest security assessment

Powered by SC Magazine
 

Lack of SSL authentication a major drawback.

A nonprofit security think-tank's 'report card' has failed Facebook and Twitter for neglecting to implement safeguards that are available on other popular online services.

Digital Society recently doled out grades for the security of a number of widely-used online services, including Facebook, Twitter, Gmail and Hotmail.

The services were graded on whether they use full Secure Sockets Layer (SSL) protection and if they are susceptible to attacks that can expose user's credentials or authentication cookies.
Out of the services graded, Facebook and Twitter came out on the bottom, both receiving the lowest grade of 'F'.

According to Digital Society, the most pressing security problem affecting the social networking sites is that they do not use SSL authentication, a means of verifying the site's identity to users through visual queues such as a padlock or 'HTTPS' in the website URL, George Ou, policy director at Digital Society, told SCMagazineUS.com.

“They are not verifying to users who they are before they ask for a username and password,” Ou said.

As a result, attackers can create a fake Facebook or Twitter login page that is indistinguishable from the real thing and trick users into handing over their credentials, he added.

Moreover, both Facebook and Twitter do not use end-to-end encryption to safeguard users' sessions, leaving them vulnerable to an attack known as 'HTTP session hijacking', in which an attacker steals a user's cookie to take over the account, Ou said.

The danger of unencrypted websites garnered widespread attention late last month with the release of a free tool called Firesheep. The Firefox web browser plug-in lets anyone scan open Wi-Fi networks and hijack accounts belonging to sites such as Twitter and Facebook. Since its release, the extension has been downloaded more than 600,000 times.

A Facebook spokesman told SCMagazineUS.com in an email that the site recently has implemented a number of safeguards and is working to further improve security.

“We appreciate Digital Society raising awareness about the dangers of surfing over unsecured networks, and we have been making progress testing SSL access across Facebook and hope to provide it as an option in the coming months,” a company spokesman said. “However, the report fails to include many important security metrics that place Facebook as a leader in this industry and doesn't even mention many of the unique security features we offer to make accounts more secure.”

Those security features include login notification, remote session management, one-time passwords, and internal spam prevention systems, the spokesman said.

A Twitter spokeswoman said the microblogging service takes security seriously but does not have a comment on Digital Society's report card. 

Meanwhile, in Digital Society's assessment, Gmail received an 'A' grade for implementing safeguards, such as SSL authentication and browsing.

Hotmail, on the other hand, received 'D-' grade. Security issues on the webmail service could allow an attacker to view every message a user has received and sent, or send messages on behalf of a user, Ou said.

Microsoft, however, plans to upgrade the security of Hotmail by enabling SSL browsing, he said.

See original article on scmagazineus.com

Copyright © SC Magazine, US edition


 
 
 
Top Stories
Meet FABACUS, Westpac's first computer
GE225 operators celebrate gold anniversary.
 
NSW Govt gets ready to throw out the floppy disks
[Opinion] Dominic Perrottet says its time for government to catch up.
 
iiNet facing new copyright battle with Hollywood
Fighting to protect customer details.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
In which area is your IT shop hiring the most staff?




   |   View results
IT security and risk
  26%
 
Sourcing and strategy
  12%
 
IT infrastructure (servers, storage, networking)
  22%
 
End user computing (desktops, mobiles, apps)
  15%
 
Software development
  25%
TOTAL VOTES: 346

Vote
Would your InfoSec team be prepared to share threat data with the Australian Government?

   |   View results
Yes
  58%
 
No
  42%
TOTAL VOTES: 144

Vote