Security vulnerabilities galore in social networks
A new web site, socialnetworksecurity.org, has been set up to publish details of security vulnerabilities in social networks such as Facebook, Lokalisten, Friendscout24.de, wer-kennt-wen.de and XING. Most of the vulnerabilities listed could be exploited for cross-site scripting (XSS) attacks. Jappy.de, for example, contains one such vulnerability which allows contacts' cookies to be stolen. The team behind socialnetworksecurity.org also found several vulnerabilities on XING. On Facebook, phishing attacks can be carried out by using a forwarding script which, using a Facebook link, generates an HTTP login query with readily viewable content. Some web site operators have still to respond to vulnerability disclosures. Our colleagues at heise Security were still able to reproduce the XSS vulnerability on Kwik on Monday afternoon.
The socialnetworksecurity.org project was founded in order to provide social network users with the opportunity to find out about open security vulnerabilities and to protect themselves from the associated risks. The team behind the web site, who wish to remain anonymous, also hope that their project will heighten awareness of security issues among web site operators. Basic tips are also provided to help administrators secure their sites. (Both of these pages of tips are currently only available in German.) Following in the footsteps of Wikileaks, the team has announced its intention to publish information on vulnerabilities in schueler.cc and stayfriends.de shortly. Visitors to the site are also encouraged to report vulnerabilities in social networks.