The Null Device

Security flaws in social-network sites

Beware: leading social network websites like LiveJournal, tribe.net and LinkedIn, are dangerously insecure; said sites don't bother with using SSL, sending cleartext passwords across where they may be intercepted:
Paul Martino, CTO of Tribe, chuckled at the idea that his site might use SSL for member logins. "We don't need high industrial strength encryption for that," he said. "We use standard security techniques like unique session IDs."

Some attacks rely on technological vulnerabilities, and others rely on human gullibility and badly-designed user interfaces (i.e., the old spoofed-email-pointing-to-fake-login-page trick). And there's more at risk than adolescent social dramas.

A top-ranked member of a network like eBay might be able to sell more items than her peers. A high-karma user on a site devoted to legal issues could have a tremendous influence over public policy. According to social networks analyst Clay Shirky, identity spoofing is possibly the greatest threat to social discovery networks. "When your reputation is valuable, it becomes worth exploiting. It makes a stolen identity a more valuable commodity."
By impersonating a highly-reputable person, an attacker might gain access to that person's social network, business contacts and private life. Spammers might launch highly personalized campaigns. And sexual predators could use their victims' friend lists to find more people to harass.

Update: Apparently LiveJournal now no longer uses cleartext passwords for login, instead using a challenge/response scheme using JavaScript, with SSL logins for the non-JavaScript-enabled. (I wonder how much a risk login cookies sent in the clear are, though.)

There are 6 comments on "Security flaws in social-network sites":

Posted by: richard http://mechanicalcat.net/richard/log Sat Jan 3 23:04:29 2004

The livejournal implementation sounds a lot like digest auth, except it's not at the protocol level...

Posted by: acb http://dev.null.org Sun Jan 4 04:55:46 2004

Except that some browsers don't do digest authentication, which is a pain for those still stuck using Nyetscape 4.7 and such.

Posted by: steve http:// Tue Jan 6 09:29:36 2004

anyone still using netscape 4.7 needs their head read... and a browser upgrade. the amount of time i've spent over the years hacking at sites to get them to work in that sucker... ugh.

Posted by: acb http://dev.null.org Tue Jan 6 13:00:18 2004

True. Though will Mozilla run on old, obsolete hardware as well as Nyetscape?

Posted by: Graham http://grudnuk.com/ Tue Jan 6 13:32:48 2004

They're probably using Internet Exploder anyway...

Posted by: steve http:// Thu Jan 8 00:46:30 2004

mozilla will probably run on a low spec machine... just how low spec i couldn't say, but i suspect it'd be ok.

nyetscape - i like that... that neatly sums up so many of that browsers failings...

Want to say something? Do so here.

Post pseudonymously

Display name:
URL:(optional)
To prove that you are not a bot, please enter the text in the image into the field below it.

Your Comment:

Please keep comments on topic and to the point. Inappropriate comments may be deleted.

Note that markup is stripped from comments; URLs will be automatically converted into links.