Facebook, Twitter fail latest security assessment

Share this article:
A nonprofit security think tank's "report card" has failed Facebook and Twitter for neglecting to implement safeguards that are available on other popular online services.

The group Digital Society recently doled out grades for the security of a number of widely-used online services, including Facebook, Twitter, Google's Gmail and Microsoft's Hotmail.

The services were graded on whether they use full Secure Sockets Layer (SSL) protection and if they are susceptible to attacks that can expose user's credentials or authentication cookies.

Out of the services graded, Facebook and Twitter came out on the bottom, both receiving the lowest grade of “F.”

According to Digital Society, the most pressing security problem affecting the social networking sites is that they do not use SSL authentication, a means of verifying the site's identity to users through visual queues such as a padlock or “HTTPS” in the website URL, George Ou, policy director at Digital Society, told SCMagazineUS.com on Friday.

“They are not verifying to users who they are before they ask for a username and password,” Ou said.

As a result, attackers can create a fake Facebook or Twitter login page that is indistinguishable from the real thing and trick users into handing over their credentials, he added.

Moreover, both Facebook and Twitter do not use end-to-end encryption to safeguard users' sessions, leaving them vulnerable to an attack known as "HTTP session hijacking," in which an attacker steals a user's cookie to take over the account, Ou said.

The danger of unencrypted websites garnered widespread attention late last month with the release of a free tool called Firesheep. The Firefox web browser plug-in lets anyone scan open Wi-Fi networks and hijack accounts belonging to sites such as Twitter and Facebook. Since its release, the extension has been downloaded more than 600,000 times.

A Facebook spokesman told SCMagazineUS.com in an email Friday that the site recently has implemented a number of safeguards and is working to further improve security.

“We appreciate Digital Society raising awareness about the dangers of surfing over unsecured networks, and we have been making progress testing SSL access across Facebook and hope to provide it as an option in the coming months,” a company spokesman said. “However, the report fails to include many important security metrics that place Facebook as a leader in this industry and doesn't even mention many of the unique security features we offer to make accounts more secure.”

Those security features include login notification, remote session management, one-time passwords and internal spam prevention systems, the spokesman said.

A Twitter spokeswoman said the microblogging service takes security seriously but does not have a comment on Digital Society's report card. 

Meanwhile, in Digital Society's assessment, Google's Gmail service received an “A” grade for implementing safeguards, such as SSL authentication and browsing.

Hotmail, on the other hand, received “D-” grade. Security issues on the webmail service could allow an attacker to view every message a user has received and sent, or send messages on behalf of a user, Ou said.

Microsoft, however, plans to upgrade the security of Hotmail by enabling SSL browsing, he said.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters


More in News

Email promises free pizza, ensnares victims in Asprox botnet instead

Email promises free pizza, ensnares victims in Asprox ...

Cloudmark came upon an email that offers free pizza, but clicking on the link to get the coupon ends with victims being ensnared in a botnet.

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.