Feeds

Facebook scoffs at hacktivist stunt

Nothing to see here. Please move along

Top 5 reasons to deploy VMware with Tegile

Hacktivists took over control of almost 300 Facebook community groups in a bid to highlight concerns over how easy it might be for miscreants to hijack a shared interest group on the social networking site. Facebook said no hacking was involved in the attack, which it dismisses as a stunt.

The Control Your Info group, on the other hand, claims its take-over of 289 Facebook groups illustrates why the social networking site ought to tighten its security policy. The group exploited Facebook control features it argues are insecure, rather than website security bugs or vulnerabilities.

Facebook groups exist as venues for people with common interests to congregate and exchange ideas, pictures, and the like. The way Facebook works means that if administrator of a group leaves, any other member of the group can take over control.

Control Your Info (CYI) argues the approach is all wrong and control ought to pass automatically to the next most senior member of an online hang-out. As things stand, CYI reckons the feature could allow spammers to latch onto leaderless groups before spamming its members.

"If an administrator of a group leaves, anyone can register as a new admin," CYI told AFP. "So, in order to take control of a Facebook group, all you really have to do is a quick search on Google."

Admins have the ability to change just about everything about a group. To illustrate its point, CYI renamed each "hijacked" group with its name and logo, before posting messages explaining that the group had been hijacked and attempting to justify the attack. CYI promised to restore the groups to normal once it had made its point.

In a statement, Facebook said no confidential information was exposed by the stunt. It claimed the issue affected only small, abandoned groups.

There has been no hijacking and there is no confidential information at risk. The groups in question have been abandoned by their previous owners, which means any group member has the option to make themselves an administrator in order to continue communication to the group.

Group administrators have no access to private user information and group members can leave a group at any time. For small groups, administrators can simply edit a group name or info, moderate discussion and message group members. The names of large groups cannot be changed nor can anyone message all members.

In the rare instances when we find a group has been changed inappropriately, we will disable the group, which is the action we plan for these groups.

This sanguine response is unlikely to satisfy CYI, whose manifesto can be found on controlyour.info here. CYI claims its main goal is to "draw attention to questions concerning online privacy awareness". Sections of its site point to its interest in information left via YouTube and about password security as well as about data held on social networking sites. ®

Beginner's guide to SSL certificates

More from The Register

next story
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...
FYI this isn't just going to target Windows, Linux and OS X fans
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Home Office: Fancy flogging us some SECRET SPY GEAR?
If you do, tell NOBODY what it's for or how it works
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
Syrian Electronic Army in news site 'hack' POP-UP MAYHEM
Gigya redirect exploit blamed for pop-rageous ploy
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
prev story

Whitepapers

Free virtual appliance for wire data analytics
The ExtraHop Discovery Edition is a free virtual appliance will help you to discover the performance of your applications across the network, web, VDI, database, and storage tiers.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
The total economic impact of Druva inSync
Examining the ROI enterprises may realize by implementing inSync, as they look to improve backup and recovery of endpoint data in a cost-effective manner.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Website security in corporate America
Find out how you rank among other IT managers testing your website's vulnerabilities.