Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet Security.ca and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet Security.ca today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

Diaspora code on Facebook full of critical security flaws

Add to del.icio.us     Digg this story Digg this

September 17, 2010

Four New York University students who got paid a large amount of money to design and build an improved and more secure privacy-preserving alternative to Facebook are going to be real busy in the next few days.

The new release of the beta source code for their 'Diaspora Social Website' was only a few hours online on Sep. 15 when hackers began discovering critical security holes they said could seriously compromise the overall security of unsuspecting people who used it.

The critical security flaws make it possible to hijack accounts, contact users without their permission, and delete their photos or other user content.

The Diaspora project (as it is called) grew out of wide-spread dissatisfaction that many Facebook users expressed earlier this year in response to the company's privacy changes that without warning exposed personal details many users didn't want to share with anybody.

When the developers sought funding, they asked for $10,000. So strong was the discontent of some Facebook users that they ended up with donations exceeding $200,000!

Now the Diaspora creators were very clear that Wednesday's release came with no specific guarantees and included known security flaws. But the creators said they weren't 100 percent certain that the message had reached some of the project's most fervent fans. Some most likely didn't get the warning, or if they did they probably didn't read it, the creators said.

“Currently there is nothing that you cannot do to someone's Diaspora account, absolutely nothing,” said Patrick McKenzie, owner of Bingo Card Creator, a software company in Ogaki, Japan.

“About the only thing I haven't been able to do yet is to compromise the security of the server that Diaspora is hosted on. That's not because that isn't possible. If a professional security researcher goes after this, I have every confidence that they will be able to easily compromise the server and bring down Facebook to its knees.”

Security encryption features in Diaspora, which runs on the Ruby on Rails software stack, is also susceptible to a recently enhanced “Oracle Padding Attack,” being demonstrated this week at the Ekoparty conference in Argentina.

A few security experts are now concerned that Ruby on Rails isn't as secure as its creators have claimed it in the past.

“If you've been on the Diaspora mailing list, there are people who are clearly not security professionals who are asking each other, OK, what do I need to do to get this running because I hate being on Facebook,” McKenzie said.

“They are going to get burned in a very serious manner very quickly if they actually succeed in doing what they're trying to do. Facebook simply isn't a secure application, and until users fully realize this, there will be more and more security issues that will pop up all the time,” he added.

And McKenzie isn't the only one who has found critical security flaws in Facebook. Among the list of the many reported issues in the code are numerous XSS — or cross-site scripting — attack vulnerabilities, a session token that's easy to steal, a lack of user input filtering, and repeated errors when a null character is entered into web fields.

McKenzie first voiced his concerns on a online hacker discussion forum devoted to Wednesday's release. So far, Diaspora representatives didn't respond to an e-mail seeking comment over the security issues.

Add to del.icio.us     Digg this story Digg this

Source: Patrick McKenzie.

Save Internet Security.ca's URL to the list of your favorite web sites in your Web browser by clicking here.


You can link to the Internet Security web site as much as you like.


| Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact |
Copyright © Internet Security.ca    Terms of use    Privacy agreement    Legal disclaimer






Get your Linux or Windows dedicated server today.