Social Network Platform Security Lessons: Why I Deleted Facebook

“MicroISV on a Shoestring” posted in September 2010 a funny and detailed review of security flaws found in the open-source Diaspora platform.

  • Authentication != Authorization: The User Cannot Be Trusted
  • Mass Assignment Will Ruin Your Day
  • NoSQL Doesn’t Mean No SQL Injection
  • Take Care With Releasing Software To End Users
  • Is Diaspora Secure After The Patches?

Although I can get a good chuckle out of the following conclusion, I think it misses the point entirely.

The team is manifestly out of their depth with regards to web application security, and it is almost certainly impossible for them to gather the required expertise and still hit their timetable for public release in a month. You might believe in the powers of OSS to gather experts (or at least folks who have shipped a Rails app, like myself) to Diaspora’s banner and ferret out all the issues. You might also believe in magic code-fixing fairies. Personally, I’d be praying for the fairies because if Diaspora is dependent on the OSS community their users are screwed. There are, almost certainly, exploits as severe as the above ones left in the app, and there almost certainly will be zero-day attacks by hackers who would like to make the headline news. “Facebook Competitor Diaspora Launches; All Users Data Compromised Immediately” makes for a smashing headline in the New York Times, wouldn’t you say?

Yes, fine, compare it to Facebook, which itself has proven itself no friend to privacy — compromised over and over and over

I never will forget in 2009 when I met a few Facebook employees and expressed my concerns with the security flaws I had found. Their response was “yes, we know it’s riddled with holes, but security is not our focus”.

Thus began my immediate removal of personal information and closure of my profile.

Diaspora may be bad, but it is still very early. Can it be worse than handing over data to an ancient (by social network standards) private company ruled by a man funded by Russians without any transparency that most likely hopes to profit from your loss (of privacy)?

Was Facebook’s first code release (based on targeting and harming women) any better?

Zuckerberg faced serious charges of breach of security, violating copyrights, and violating individual privacy.

Also, if you believe at all in social networking and collaboration Diaspora makes a lot more sense than the centrally-planned autocratic regime of Facebook. Diaspora follows an open market model where its users can assess the security of the code, collaborate to write/test fixes and even run different pods to a level of privacy they find acceptable.

None of that is true for Facebook, which is what Columbia University law professor Eben Moglen accurately termed anti-democratic “spying for free” (surveillance capital).

In other words, Diaspora might be insecure because it lacks talent but not because it lacks the potential to become secure. It can be as good as the community that uses it and based on their vision — the whole being greater than a sum of parts and so on, in the spirit of being socially networked. Facebook’s security potential by comparison is in steady decline by design and will only get worse; every move by their leader has been to reduce your privacy for profit.

You might believe that its founder and his lenders will have a change heart. You might also believe in magic management-fixing fairies….

Personally, I’d be praying for the fairies because if Facebook is dependent on Zuckerberg their users are screwed.

Posted on February 22nd, 2011 at 7:08 pm […] My Facebook account’s web settings specify full-time encrypted traffic, but this apparently isn’t honored or supported by Facebook’s Android app. Facebook isn’t doing anything like OAuth signatures, so it may be possible to inject bogus posts as well. Also notable: one of the requests we saw going from my phone to the Facebook server included an SQL statement within. Could Facebook’s server have a SQL injection vulnerability?

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.