Facebook and Twitter flunk security report card. Digital Society, a self-professed security think tank, has given failing security grades to both Twitter and Facebook. Both sites are vulnerable to attacks that can give someone partial or full control over one’s account, the group claimed. According to Digital Society, the main problem with Facebook and Twitter is that neither site allows full Secure Sockets Layer (SSL) protection.
Both sites create unencrypted sessions for the user by default. Although the actual logins are encrypted, they’re not authenticated - which means one cannot pull up security information in one’s browser to verify the sites’ identities. Even if a user forces a secure session by going to the main sites for Twitter and Facebook, the sites still have links to non-secure parts of the site and JavaScript code that transmit authentication cookies without SSL, Digital Society found.
These are not new concerns, but the news fits hand-in-hand with the release of FireSheep, a FireFox add-on that lets people with limited technical knowledge hijack other people’s Web accounts over unencrypted Wi-Fi networks. Digital Society’s report card essentially spells out what an attacker using FireSheep or another packetsniffing program could accomplish. In Facebook, for instance, an attacker can gain access to every part of an account except username and password, allowing the attacker to send status updates and read private messages.
Source: http://www.computerworld.com/s/article/9195021/Facebook_and_Twitter_Flunk_Security_Report_Card
No comments:
Post a Comment