Facebook, Twitter fail latest security assessment
The group Digital Society recently doled out grades for the security of a number of widely-used online services, including Facebook, Twitter, Google's Gmail and Microsoft's Hotmail.
The services were graded on whether they use full Secure Sockets Layer (SSL) protection and if they are susceptible to attacks that can expose user's credentials or authentication cookies.
Out of the services graded, Facebook and Twitter came out on the bottom, both receiving the lowest grade of “F.”
According to Digital Society, the most pressing security problem affecting the social networking sites is that they do not use SSL authentication, a means of verifying the site's identity to users through visual queues such as a padlock or “HTTPS” in the website URL, George Ou, policy director at Digital Society, told SCMagazineUS.com on Friday.
“They are not verifying to users who they are before they ask for a username and password,” Ou said.
As a result, attackers can create a fake Facebook or Twitter login page that is indistinguishable from the real thing and trick users into handing over their credentials, he added.
Moreover, both Facebook and Twitter do not use end-to-end encryption to safeguard users' sessions, leaving them vulnerable to an attack known as "HTTP session hijacking," in which an attacker steals a user's cookie to take over the account, Ou said.
The danger of unencrypted websites garnered widespread attention late last month with the release of a free tool called Firesheep. The Firefox web browser plug-in lets anyone scan open Wi-Fi networks and hijack accounts belonging to sites such as Twitter and Facebook. Since its release, the extension has been downloaded more than 600,000 times.
A Facebook spokesman told SCMagazineUS.com in an email Friday that the site recently has implemented a number of safeguards and is working to further improve security.
“We appreciate Digital Society raising awareness about the dangers of surfing over unsecured networks, and we have been making progress testing SSL access across Facebook and hope to provide it as an option in the coming months,” a company spokesman said. “However, the report fails to include many important security metrics that place Facebook as a leader in this industry and doesn't even mention many of the unique security features we offer to make accounts more secure.”
Those security features include login notification, remote session management, one-time passwords and internal spam prevention systems, the spokesman said.
A Twitter spokeswoman said the microblogging service takes security seriously but does not have a comment on Digital Society's report card.
Meanwhile, in Digital Society's assessment, Google's Gmail service received an “A” grade for implementing safeguards, such as SSL authentication and browsing.
Hotmail, on the other hand, received “D-” grade. Security issues on the webmail service could allow an attacker to view every message a user has received and sent, or send messages on behalf of a user, Ou said.
Microsoft, however, plans to upgrade the security of Hotmail by enabling SSL browsing, he said.