'Facebook for Kids' slammed by security researchers
'Users could be anybody: a child, an adult, a child predator, or a spambot'
Updated A new social network website claiming to be a "Facebook for Kids" is riddled with security shortcomings, security researchers at Cambridge University have warned. The site - School Together Now - said that it took security seriously and promised to review the findings of the Cambridge researchers.
School Together Now - which is aiming to sign up parents as well children as members - is due to launch at the start of next year but is already open to registration. National media coverage about the site sparked the curiosity of Cambridge postgradute researcher Joseph Bonneau about what security controls for an obviously vulnerable age group had been established.
Bonneau discovered a myriad of security problems beyond the issue of whether kids needed a social networking site. School Together Now is focused on signing up seven to 12 year-old but advertisers and other can also participate.
"Further investigation revealed a pattern of poor security choices driven by the desire for rapid commercialisation, which is inexcusable for a site specifically marketed at young children," Bonneau writes in a post to Cambridge University's well respected Light Blue Touchpaper blog.
Preventing impersonation or fraudulent sign-ups is a difficult problem for any website, and particularly important for a social network targeting kids. But School Together Now makes few efforts to establish the bona-fides of would-be members.
"School Together Now... makes no attempt to ensure that users are who they claim to be. Creating an account requires just an email address and a name. Neither of these values is checked, so a user could be anybody: a child, an adult, a child predator, a web spider, or a spambot," Bonneau notes.
The Cambridge researchers have already discovered one profile solely designed to pump out spamvertising for an online Viagra distributor.
Users of the site are not required to declare an age - of course people can lie about their age, but when they do so it gives evidence of acting in bad faith that might be useful in prosecutions.
"Currently, one can create an account giving unlimited access to the site without providing any false information or even agreeing to terms of service," the security researchers add. "The site similarly makes no effort to verify claimed affiliation with a school or a parent account."
Bonneau and his colleagues were able to link a test account to any primary school they wished. Facebook, by contrast, requires a valid email address in a school's domain to join academic sub-networks.
Other aspects of School Together Now worry researchers. The information sharing model established by the site is "fundamentally broken".
"The default settings share all entered information, which could include email addresses and phone numbers, with all users on the site–who could be anybody. Although the website classifies users into groups like children and parents (and also "advertisers"), there are no restrictions on communication between them," Bonneau writes.
In addition, forum posting are viewable through search engines. "Information posted by users may be reviewed by moderators and deleted, but we were able to locate clearly sensitive information such as age, personal habits, school membership, and location, which had been left in forums for weeks," Bonneau notes.
School Together Now also contains a private messaging function which allows users to exchanges messages outside of any control by moderators. School Together Now lacks a clear mechanism for reporting abuse.
All these bad security design choices, and more, make the site unsafe for its target demographic, the Cambridge boffins conclude.
MySpace and Facebook limit membership to those over 13 because of the greater problems in catering to kids. Most child-centric sites are geared toward gaming, with little social interaction, though there are examples of child-centric sites who do a better job with security.
"Online social environments aimed specifically at kids typically provide even more security. Disney's Toontown Online game, for example, only allows free-form chat except between friends who have been verified out-of-band (outside the site)."
Think of the Children
School Together Now claims to provide "safe and secure environment for children" are misleading because of a lack of basic authentication and authorization that makes the site a potential hunting ground for predators, Bonneau concludes.
Professor Ross Anderson of the Cambridge University Computer Lab told El Reg that School Together Now has failed to take on board the security lessons learned by Facebook in developing its site, which fails to follow best practice and Home Office recommendations.
We relayed the concerns of the Cambridge University experts to School Together Now, which promised to review the findings of the report.
Esther Guy, School Together Now founder, a working mother of three, said: “The security of our website and the safety of our users is of paramount importance to everyone at School Together Now and we therefore welcome the Cambridge University team’s analysis of the site."
"The team’s research is particularly welcome at this time as we prepare to launch the site to the general public next year. We shall look at the report very carefully and if we feel that it identifies areas where our site’s security can by improved then we shall take swift action to do so," she added. ®
Sponsored: CISO Guide: Secure Cloud and Mobile Data