'Facebook for Kids' slammed by security researchers
'Users could be anybody: a child, an adult, a child predator, or a spambot'
Updated A new social network website claiming to be a "Facebook for Kids" is riddled with security shortcomings, security researchers at Cambridge University have warned. The site - School Together Now - said that it took security seriously and promised to review the findings of the Cambridge researchers.
School Together Now - which is aiming to sign up parents as well children as members - is due to launch at the start of next year but is already open to registration. National media coverage about the site sparked the curiosity of Cambridge postgradute researcher Joseph Bonneau about what security controls for an obviously vulnerable age group had been established.
Bonneau discovered a myriad of security problems beyond the issue of whether kids needed a social networking site. School Together Now is focused on signing up seven to 12 year-old but advertisers and other can also participate.
"Further investigation revealed a pattern of poor security choices driven by the desire for rapid commercialisation, which is inexcusable for a site specifically marketed at young children," Bonneau writes in a post to Cambridge University's well respected Light Blue Touchpaper blog.
Preventing impersonation or fraudulent sign-ups is a difficult problem for any website, and particularly important for a social network targeting kids. But School Together Now makes few efforts to establish the bona-fides of would-be members.
"School Together Now... makes no attempt to ensure that users are who they claim to be. Creating an account requires just an email address and a name. Neither of these values is checked, so a user could be anybody: a child, an adult, a child predator, a web spider, or a spambot," Bonneau notes.
The Cambridge researchers have already discovered one profile solely designed to pump out spamvertising for an online Viagra distributor.
Users of the site are not required to declare an age - of course people can lie about their age, but when they do so it gives evidence of acting in bad faith that might be useful in prosecutions.
"Currently, one can create an account giving unlimited access to the site without providing any false information or even agreeing to terms of service," the security researchers add. "The site similarly makes no effort to verify claimed affiliation with a school or a parent account."
Bonneau and his colleagues were able to link a test account to any primary school they wished. Facebook, by contrast, requires a valid email address in a school's domain to join academic sub-networks.
Other aspects of School Together Now worry researchers. The information sharing model established by the site is "fundamentally broken".
"The default settings share all entered information, which could include email addresses and phone numbers, with all users on the site–who could be anybody. Although the website classifies users into groups like children and parents (and also "advertisers"), there are no restrictions on communication between them," Bonneau writes.
In addition, forum posting are viewable through search engines. "Information posted by users may be reviewed by moderators and deleted, but we were able to locate clearly sensitive information such as age, personal habits, school membership, and location, which had been left in forums for weeks," Bonneau notes.
School Together Now also contains a private messaging function which allows users to exchanges messages outside of any control by moderators. School Together Now lacks a clear mechanism for reporting abuse.
All these bad security design choices, and more, make the site unsafe for its target demographic, the Cambridge boffins conclude.
MySpace and Facebook limit membership to those over 13 because of the greater problems in catering to kids. Most child-centric sites are geared toward gaming, with little social interaction, though there are examples of child-centric sites who do a better job with security.
"Online social environments aimed specifically at kids typically provide even more security. Disney's Toontown Online game, for example, only allows free-form chat except between friends who have been verified out-of-band (outside the site)."
Think of the Children
School Together Now claims to provide "safe and secure environment for children" are misleading because of a lack of basic authentication and authorization that makes the site a potential hunting ground for predators, Bonneau concludes.
Professor Ross Anderson of the Cambridge University Computer Lab told El Reg that School Together Now has failed to take on board the security lessons learned by Facebook in developing its site, which fails to follow best practice and Home Office recommendations.
We relayed the concerns of the Cambridge University experts to School Together Now, which promised to review the findings of the report.
Esther Guy, School Together Now founder, a working mother of three, said: “The security of our website and the safety of our users is of paramount importance to everyone at School Together Now and we therefore welcome the Cambridge University team’s analysis of the site."
"The team’s research is particularly welcome at this time as we prepare to launch the site to the general public next year. We shall look at the report very carefully and if we feel that it identifies areas where our site’s security can by improved then we shall take swift action to do so," she added. ®
possssitively speeeeeking DO SOMETHING
HOWEVER, Mother Hen... you completely ignored the fact that if there were no sites parading themselves as being "for the kids" there would be no excuse for children to be on a medium that is predominately PORNOGRAPHIC, UNREGULATED and rife with phish.
You ask what [WE] are going to do about it... well, I am most certainly going to AVOID promoting the internet for use by minors, same as I believe that a minimum driving/drinking/fucking age is a good idea. As you so correctly pointed out.... anyone could buy FaceBook and anything can appear on YouTube... Legal action takes place AFTER THE OFFENCE.... I would prefer to avoid the offence taking place in the first place. Check your feet for shrapnel... I am not part of the problem... YOU ?
Mother Hen responds
Well well quite a storm going on why is everyone so Angry All I'm trying to do is provide a site that does not have any outbound links and no commercial advertising. Whether children belong on the Internet is not and never will be the question . The Question is what to do with them when they do go on. I and you are not here to police the children of the world nor could you if you wanted to. It is a fact of the age that children will find their way onto the net if we want them to or not. I am trying to do something positive about this, as I have 2 children of my own What are you doing about it?????
As far as my spelling goes English is my third language I speak 4 so my apologies maybe I should have written my response in Dutch or German then you would have no call to question my spelling as far as being sued the site facebookforkids has been owned (not by me that is) for over 2 years and has been for up fo sale for 18 months, anyone could have bought it. and as for MGM etc the videos are being streamed by google's YouTube so they are the ones to sue
Try to be posssitive shouting about the problem of kids on the internet is not solving anything DO SOMETHING
anonymously titled too
@ Matthew Collier - it's grammar, not grammer mate - you gonna take the piss out of someone for their typing make sure you don't quack it up yourself.