Facebook and Twitter Flunk Security Report Card

Ignorance is bliss, so don't read any further if you don't want to panic about Facebook and Twitter security.

Digital Society, a self-professed security think tank, has given failing security grades to both Twitter and Facebook. Both sites are vulnerable to attacks that can give someone partial or full control over your account, the group claims.

According to Digital Society, the main problem with Facebook and Twitter is that neither site allows full Secure Sockets Layer (SSL) protection. Both sites create unencrypted sessions for the user by default. Although the actual logins are encrypted, they're not authenticated--which means you can't pull up security information in your browser to verify the sites' identities.

Even if you do force a secure session (by using https://twitter.com or https://facebook.com), the sites still have links to non-secure parts of the site and JavaScript code that transmit authentication cookies without SSL, Digital Society found.

These aren't new concerns, but the news fits hand-in-hand with the release of FireSheep, a FireFox add-on that lets people with limited technical knowledge hijack other people's web accounts over unencrypted Wi-Fi networks. Digital Society's report card essentially spells out what an attacker using FireSheep or another packet-sniffing program could accomplish. In Facebook, for instance, an attacker can gain access to every part of an account except username and password, allowing the attacker to send status updates and read private messages.

Of the 11 websites examined by Digital Society, only Gmail received an "A" grade. Wordpress, when accessed without SSL, received the only other "F," but Hotmail and Flickr received "D-" grades.

Microsoft has promised to fix vulnerabilities in Hotmail, and Facebook says it's beefing up security, as well. Still, that leaves plenty of sites to worry about if you're planning on using coffeehouse Wi-Fi. For more protection, consider the advice of Sharon Machlis at Computerworld and use FireSheep to make sure none of your own accounts are available for easy exploitation. You can also try FireShephard, a program specifically designed to thwart FireSheep. And, if all else fails, plug your ears, sing in a really loud voice and hope for the best!

Subscribe to the Security Watch Newsletter

Comments