Feeds

'Facebook for Kids' slammed by security researchers

'Users could be anybody: a child, an adult, a child predator, or a spambot'

Secure remote control for conventional and virtual desktops

Updated A new social network website claiming to be a "Facebook for Kids" is riddled with security shortcomings, security researchers at Cambridge University have warned. The site - School Together Now - said that it took security seriously and promised to review the findings of the Cambridge researchers.

School Together Now - which is aiming to sign up parents as well children as members - is due to launch at the start of next year but is already open to registration. National media coverage about the site sparked the curiosity of Cambridge postgradute researcher Joseph Bonneau about what security controls for an obviously vulnerable age group had been established.

Bonneau discovered a myriad of security problems beyond the issue of whether kids needed a social networking site. School Together Now is focused on signing up seven to 12 year-old but advertisers and other can also participate.

"Further investigation revealed a pattern of poor security choices driven by the desire for rapid commercialisation, which is inexcusable for a site specifically marketed at young children," Bonneau writes in a post to Cambridge University's well respected Light Blue Touchpaper blog.

Preventing impersonation or fraudulent sign-ups is a difficult problem for any website, and particularly important for a social network targeting kids. But School Together Now makes few efforts to establish the bona-fides of would-be members.

"School Together Now... makes no attempt to ensure that users are who they claim to be. Creating an account requires just an email address and a name. Neither of these values is checked, so a user could be anybody: a child, an adult, a child predator, a web spider, or a spambot," Bonneau notes.

The Cambridge researchers have already discovered one profile solely designed to pump out spamvertising for an online Viagra distributor.

Users of the site are not required to declare an age - of course people can lie about their age, but when they do so it gives evidence of acting in bad faith that might be useful in prosecutions.

"Currently, one can create an account giving unlimited access to the site without providing any false information or even agreeing to terms of service," the security researchers add. "The site similarly makes no effort to verify claimed affiliation with a school or a parent account."

Bonneau and his colleagues were able to link a test account to any primary school they wished. Facebook, by contrast, requires a valid email address in a school's domain to join academic sub-networks.

Wide open

Other aspects of School Together Now worry researchers. The information sharing model established by the site is "fundamentally broken".

"The default settings share all entered information, which could include email addresses and phone numbers, with all users on the site–who could be anybody. Although the website classifies users into groups like children and parents (and also "advertisers"), there are no restrictions on communication between them," Bonneau writes.

In addition, forum posting are viewable through search engines. "Information posted by users may be reviewed by moderators and deleted, but we were able to locate clearly sensitive information such as age, personal habits, school membership, and location, which had been left in forums for weeks," Bonneau notes.

School Together Now also contains a private messaging function which allows users to exchanges messages outside of any control by moderators. School Together Now lacks a clear mechanism for reporting abuse.

All these bad security design choices, and more, make the site unsafe for its target demographic, the Cambridge boffins conclude.

MySpace and Facebook limit membership to those over 13 because of the greater problems in catering to kids. Most child-centric sites are geared toward gaming, with little social interaction, though there are examples of child-centric sites who do a better job with security.

"Online social environments aimed specifically at kids typically provide even more security. Disney's Toontown Online game, for example, only allows free-form chat except between friends who have been verified out-of-band (outside the site)."

Think of the Children

School Together Now claims to provide "safe and secure environment for children" are misleading because of a lack of basic authentication and authorization that makes the site a potential hunting ground for predators, Bonneau concludes.

Professor Ross Anderson of the Cambridge University Computer Lab told El Reg that School Together Now has failed to take on board the security lessons learned by Facebook in developing its site, which fails to follow best practice and Home Office recommendations.

We relayed the concerns of the Cambridge University experts to School Together Now, which promised to review the findings of the report.

Esther Guy, School Together Now founder, a working mother of three, said: “The security of our website and the safety of our users is of paramount importance to everyone at School Together Now and we therefore welcome the Cambridge University team’s analysis of the site."

"The team’s research is particularly welcome at this time as we prepare to launch the site to the general public next year. We shall look at the report very carefully and if we feel that it identifies areas where our site’s security can by improved then we shall take swift action to do so," she added. ®

New hybrid storage solutions

More from The Register

next story
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
Google recommends pronounceable passwords
Super Chrome goes into battle with Mr Mxyzptlk
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
'Speargun' program is fantasy, says cable operator
We just might notice if you cut our cables
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.