Diaspora code on Facebook full of critical security flaws
September 17, 2010
Four New York University students who got paid a large amount of money to design and build an improved and more secure privacy-preserving alternative to Facebook are going to be real busy in the next few days.
The new release of the beta source code for their 'Diaspora Social Website' was only a few hours online on Sep. 15 when hackers began discovering critical security holes they said could seriously compromise the overall security of unsuspecting people who used it.
The critical security flaws make it possible to hijack accounts, contact users without their permission, and delete their photos or other user content.
The Diaspora project (as it is called) grew out of wide-spread dissatisfaction that many Facebook users expressed earlier this year in response to the company's privacy changes that without warning exposed personal details many users didn't want to share with anybody.
When the developers sought funding, they asked for $10,000. So strong was the discontent of some Facebook users that they ended up with donations exceeding $200,000!
Now the Diaspora creators were very clear that Wednesday's release came with no specific guarantees and included known security flaws. But the creators said they weren't 100 percent certain that the message had reached some of the project's most fervent fans. Some most likely didn't get the warning, or if they did they probably didn't read it, the creators said.
“Currently there is nothing that you cannot do to someone's Diaspora account, absolutely nothing,” said Patrick McKenzie, owner of Bingo Card Creator, a software company in Ogaki, Japan.
“About the only thing I haven't been able to do yet is to compromise the security of the server that Diaspora is hosted on. That's not because that isn't possible. If a professional security researcher goes after this, I have every confidence that they will be able to easily compromise the server and bring down Facebook to its knees.”
Security encryption features in Diaspora, which runs on the Ruby on Rails software stack, is also susceptible to a recently enhanced “Oracle Padding Attack,” being demonstrated this week at the Ekoparty conference in Argentina.
A few security experts are now concerned that Ruby on Rails isn't as secure as its creators have claimed it in the past.
“If you've been on the Diaspora mailing list, there are people who are clearly not security professionals who are asking each other, OK, what do I need to do to get this running because I hate being on Facebook,” McKenzie said.
“They are going to get burned in a very serious manner very quickly if they actually succeed in doing what they're trying to do. Facebook simply isn't a secure application, and until users fully realize this, there will be more and more security issues that will pop up all the time,” he added.
And McKenzie isn't the only one who has found critical security flaws in Facebook. Among the list of the many reported issues in the code are numerous XSS — or cross-site scripting — attack vulnerabilities, a session token that's easy to steal, a lack of user input filtering, and repeated errors when a null character is entered into web fields.
McKenzie first voiced his concerns on a online hacker discussion forum devoted to Wednesday's release. So far, Diaspora representatives didn't respond to an e-mail seeking comment over the security issues.
Source: Patrick McKenzie.
You can link to the Internet Security web site as much as you like.