Feeds

'Facebook for Kids' slammed by security researchers

'Users could be anybody: a child, an adult, a child predator, or a spambot'

Top 5 reasons to deploy VMware with Tegile

Updated A new social network website claiming to be a "Facebook for Kids" is riddled with security shortcomings, security researchers at Cambridge University have warned. The site - School Together Now - said that it took security seriously and promised to review the findings of the Cambridge researchers.

School Together Now - which is aiming to sign up parents as well children as members - is due to launch at the start of next year but is already open to registration. National media coverage about the site sparked the curiosity of Cambridge postgradute researcher Joseph Bonneau about what security controls for an obviously vulnerable age group had been established.

Bonneau discovered a myriad of security problems beyond the issue of whether kids needed a social networking site. School Together Now is focused on signing up seven to 12 year-old but advertisers and other can also participate.

"Further investigation revealed a pattern of poor security choices driven by the desire for rapid commercialisation, which is inexcusable for a site specifically marketed at young children," Bonneau writes in a post to Cambridge University's well respected Light Blue Touchpaper blog.

Preventing impersonation or fraudulent sign-ups is a difficult problem for any website, and particularly important for a social network targeting kids. But School Together Now makes few efforts to establish the bona-fides of would-be members.

"School Together Now... makes no attempt to ensure that users are who they claim to be. Creating an account requires just an email address and a name. Neither of these values is checked, so a user could be anybody: a child, an adult, a child predator, a web spider, or a spambot," Bonneau notes.

The Cambridge researchers have already discovered one profile solely designed to pump out spamvertising for an online Viagra distributor.

Users of the site are not required to declare an age - of course people can lie about their age, but when they do so it gives evidence of acting in bad faith that might be useful in prosecutions.

"Currently, one can create an account giving unlimited access to the site without providing any false information or even agreeing to terms of service," the security researchers add. "The site similarly makes no effort to verify claimed affiliation with a school or a parent account."

Bonneau and his colleagues were able to link a test account to any primary school they wished. Facebook, by contrast, requires a valid email address in a school's domain to join academic sub-networks.

Wide open

Other aspects of School Together Now worry researchers. The information sharing model established by the site is "fundamentally broken".

"The default settings share all entered information, which could include email addresses and phone numbers, with all users on the site–who could be anybody. Although the website classifies users into groups like children and parents (and also "advertisers"), there are no restrictions on communication between them," Bonneau writes.

In addition, forum posting are viewable through search engines. "Information posted by users may be reviewed by moderators and deleted, but we were able to locate clearly sensitive information such as age, personal habits, school membership, and location, which had been left in forums for weeks," Bonneau notes.

School Together Now also contains a private messaging function which allows users to exchanges messages outside of any control by moderators. School Together Now lacks a clear mechanism for reporting abuse.

All these bad security design choices, and more, make the site unsafe for its target demographic, the Cambridge boffins conclude.

MySpace and Facebook limit membership to those over 13 because of the greater problems in catering to kids. Most child-centric sites are geared toward gaming, with little social interaction, though there are examples of child-centric sites who do a better job with security.

"Online social environments aimed specifically at kids typically provide even more security. Disney's Toontown Online game, for example, only allows free-form chat except between friends who have been verified out-of-band (outside the site)."

Think of the Children

School Together Now claims to provide "safe and secure environment for children" are misleading because of a lack of basic authentication and authorization that makes the site a potential hunting ground for predators, Bonneau concludes.

Professor Ross Anderson of the Cambridge University Computer Lab told El Reg that School Together Now has failed to take on board the security lessons learned by Facebook in developing its site, which fails to follow best practice and Home Office recommendations.

We relayed the concerns of the Cambridge University experts to School Together Now, which promised to review the findings of the report.

Esther Guy, School Together Now founder, a working mother of three, said: “The security of our website and the safety of our users is of paramount importance to everyone at School Together Now and we therefore welcome the Cambridge University team’s analysis of the site."

"The team’s research is particularly welcome at this time as we prepare to launch the site to the general public next year. We shall look at the report very carefully and if we feel that it identifies areas where our site’s security can by improved then we shall take swift action to do so," she added. ®

Remote control for virtualized desktops

More from The Register

next story
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Shellshock over SMTP attacks mean you can now ignore your email
'But boss, the Internet Storm Centre says it's dangerous for me to reply to you'
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
NOT OK GOOGLE: Android images can conceal code
It's been fixed, but hordes won't have applied the upgrade
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Getting ahead of the compliance curve
Learn about new services that make it easy to discover and manage certificates across the enterprise and how to get ahead of the compliance curve.