Saturday, September 25, 2010

Twitter worm Social Networking security debate

A cross site scripting vulnerability in Twitter was exploited this week and it was used to send random tweets to all the followers. The attack leveraged a common Javascript feature, “onmouseover”, which allows developers to program discrete actions when visitors move their mouse cursor over a designated area of a web page. So, depending on the number of followers a person has, they all get these random tweets. Check the Kaspersky blog for more information on this

Even though Twitter closed this vulnerability, the lot of damage was done and it prompted New York Times to assemble an online debate on social networking security.

The contributors included some big names like Ross Anderson and Edward Felten

I particularly liked Ross Anderson’s comments

The discipline of security economics teaches us that large systems often fail because incentives are poorly aligned; if someone guards a system while someone else bears the cost of failure, then failure is likely. Persistent security failures have the same general causes as market failures, and monopolies are particularly bad


So as people move from the open environment of the Internet to the walled garden of Facebook, we can expect security to get worse. But that's not all; there are at least three further problems. First, Facebook has a strong incentive to collect as much personal information as possible from its users for sale to advertisers.
Second, Facebook is trying hard to be the world's identity service provider of choice, so that people use their Facebook account to leave comments on blogs, newspapers and community Web sites. This will make Facebook an even bigger target.

The entire online debate is available here . This is great stuff and must read for social networking security enthusiasts.

No comments: