Defences lacking at social network sites
Services like LiveJournal and Tribe are poised to be the next big thing on the Web in 2004, but their security and privacy practices are more like 1997, writes Annalee Newitz.
Brad Fitzpatrick is president of LiveJournal.com, a social discovery Web site where over 1.5 million users post diary entries they want to share with friends. Although members post extremely sensitive information in their journals -- everything from their plans to commit suicide or sabotage their boss to their latest sexual adventures -- Fitzpatrick admits that security on his site isn't a priority.
On the initial login page, LiveJournal members send their passwords in the clear. "We're hoping to change that in the next month," Fitzpatrick said. "But site performance is our highest priority, and SSL is a pain."
Jack (not his real name) is an LJ user whose account was compromised. He isn't sure how it happened, but one day he logged in and discovered a huge portion of his journal entries had been deleted. The attacker didn't stop there -- she or he also plundered his friends' "locked" entries (visible only to other friends) and reposted extremely private exchanges as public entries in Jack's journal. Although he quickly changed his password and fixed the problem, the damage was done. "My friends were really upset and the bad feelings persist," he said. One friend feared that she might lose her job when a private entry about problems with her supervisor was made public on Jack's journal. "It's still cached on Google," he explained, "although it would probably be hard for most people to find unless they knew all the details."
Security measures are equally weak on social discovery Web site Tribe.net, whose member base has swollen to 65,000 since it launched six months ago. Paul Martino, CTO of Tribe, chuckled at the idea that his site might use SSL for member logins. "We don't need high industrial strength encryption for that," he said. "We use standard security techniques like unique session IDs."
As security professionals know, there are any number of ways to defeat unique session IDs. Jeff Williams, CEO of Aspect Security, works on Web applications security issues for large financial, health and government institutions. He explained that Tribe.net's refusal to use SSL means that "the session ID, which is included in the URL, will be logged on any proxy. Or you can capture it off the wire with dsniff. If they aren't using SSL, they are basically saying they don't value privacy the way you value your privacy."
Cross-site scripting could be another problem. Martino says Tribe does "tag scrubbing" to protect against people embedding hostile scripts on their posts to the site. But security pros say an attacker might be able to target specific members by sending a specially crafted URL that direct them to a form with hidden tags designed to suck up their cookies. Williams explained that "XSS is amazingly widespread. Plus, XSS vulnerabilities are easy to discover and exploit."
The Open Web Application Security Project, where Williams also works, ranks cross-site scripting number four on its list of the top ten web application vulnerabilities. "We try hard to [protect against XSS attacks], but there's always something new," said Fitzpatrick. "The only solution would be to lose link tags, and that's not a good solution."
Security consultant and Nmap author Fyodor speculated that social discovery sites are also vulnerable to a class of attack that is familiar to anyone who uses eBay: "You can trick a user into divulging their username/password by sending them to a fake login page you control. For example, you could send an email, forged as coming from Tribe, which says they need to agree to a new ToS or their account will be deactivated. Then you give them a URL that is cloaked to appear authoritative for Tribe but really could be modified to go to the attacker's password capture page."
What makes these attacks novel in the context of a social discovery site isn't how they are deployed, but why. What does an attacker have to gain by spoofing the identity of a member of Tribe or LinkedIn? What kinds of damage can be done by hacking into a LiveJournal account? The answer has to do with the public's growing dependence on social reputation systems.
As we come closer to quantifying reputation, the identities we use in online communities begin to have real-world value. A top-ranked member of a network like eBay might be able to sell more items than her peers. A high-karma user on a site devoted to legal issues could have a tremendous influence over public policy. According to social networks analyst Clay Shirky, identity spoofing is possibly the greatest threat to social discovery networks. "When your reputation is valuable, it becomes worth exploiting. It makes a stolen identity a more valuable commodity."
LiveJournal's abuse manager Mark Ferrell said he receives at least five reports of ID hijacking per day.
By impersonating a highly-reputable person, an attacker might gain access to that person's social network, business contacts and private life. Spammers might launch highly personalized campaigns. And sexual predators could use their victims' friend lists to find more people to harass.
The Social Defense Model
But social discovery site owners and users say they have foolproof protection against identity spoofing: the communities themselves. Call it the social defense model. These sites are using the connections between members to defend against technical and social attacks.
The more articulated a social network gets, the harder it is to pretend to be a member of it for personal gain. Online communities can launch counter-attacks that resemble virtual community policing. When a spammer created a fake profile on Tribe and used it to post junk messages, reports Tribe moderator Liz Warner, "People used social pressure to quash [it]." After seeing the first junk post, Tribe members quickly alerted moderators, who deleted the spammer's account in just half an hour.
Konstantin Guericke, co-founder of LinkedIn, explained that his business-oriented site protects its members from spoofing by creating an environment that forces people to deploy authentication methods similar to those used in face-to-face meetings. You can't just randomly send messages to people ala Friendster. To gain access to another site member, LinkedIn requires you to contact someone you both know for an introduction. Thus, a third party has to vouch for you and confirm that you are who you say you are. It's like identity escrow, with all the benefits and pitfalls such a system implies.
According to Danah Boyd, a graduate student who studies social networks at UC Berkeley's School of Information Management and Systems, people have gamed LinkedIn by setting up fake accounts for their business competitors and watching to see who approaches them with deals. "Of course, the problem is when the real person goes online and notices," she said. "You can't fake somebody being there for very long." Guericke agreed. "The social network is your strongest weapon," he said. "If you try to find a technical solution [to identity spoofing], you'll step on the social feedback mechanism."
LiveJournal has spawned some of the most vicious identity-spoofing attacks. Ferrell said most of these attacks couldn't be prevented by technical means: "People have had a boyfriend or somebody who knew their password and that person takes over their account." While these attacks may be hurtful to the individuals involved, community protection against them is as simple as common sense. It's relatively easy for members to figure out that someone's account has been compromised when they start posting nasty comments about themselves.
Of course, sometimes an LJ attack is more subtle. By gaining access to someone's account, as LJ user Jack discovered, an attacker becomes privy to the "private" posts of friends. Ultimately, there is little defense against these social attacks, just as there is no way to stem the tide of gossip in the real world. Matthew Ringel, a longtime LJ user, wrote via email, "If I had a dollar for every time a friend in a social group accidentally 'leaked' some information about an LJ posting to someone who wasn't in the friends filter for it, I'd be typing this on a new laptop. There's no technical solution for gossip."
Real attackers, however, couldn't care less about gossip: they want to take whatever is most valuable on these sites. And there's the rub. Shirky says nobody is quite sure what makes these sites valuable, although VCs recently plunked down millions to get pieces of Friendster, Tribe and LinkedIn.
But, according to Shirky, one thing is certain: "The value of each site is communally-created. Links and transactions are more important than individuals." In other words, each community creates its own kind of value. Thus, an attacker might hit Tribe to farm social networks for spam victims; and then he might exploit LinkedIn to get the contact information for a VC he wants to meet.
Citing Lawrence Lessig's idea that code equals law, Shirky argued, "Actually, it turns out that code is only sometimes law. The software is not as valuable who uses it." When it comes to locking down social discovery Web sites, one might make a similar claim. Secure code on these sites may not be nearly as important as the community policing them.
Nevertheless, site owners cannot expect users to create value for sites where security is held in flagrant disregard. "It would be great if these sites were compliant with the OWASP Top Ten," laughed Williams, "but it's hard to imagine, given that so many online banking and ecommerce sites don't do it." It may be unrealistic to suggest social discovery sites adhere to OWASP's stringent security guidelines. But perhaps users should be given the option to login over SSL.
Annalee Newitz is a writer in San Francisco who lives at www.techsploitation.com.