Feeds

Facebook scoffs at hacktivist stunt

Nothing to see here. Please move along

Providing a secure and efficient Helpdesk

Hacktivists took over control of almost 300 Facebook community groups in a bid to highlight concerns over how easy it might be for miscreants to hijack a shared interest group on the social networking site. Facebook said no hacking was involved in the attack, which it dismisses as a stunt.

The Control Your Info group, on the other hand, claims its take-over of 289 Facebook groups illustrates why the social networking site ought to tighten its security policy. The group exploited Facebook control features it argues are insecure, rather than website security bugs or vulnerabilities.

Facebook groups exist as venues for people with common interests to congregate and exchange ideas, pictures, and the like. The way Facebook works means that if administrator of a group leaves, any other member of the group can take over control.

Control Your Info (CYI) argues the approach is all wrong and control ought to pass automatically to the next most senior member of an online hang-out. As things stand, CYI reckons the feature could allow spammers to latch onto leaderless groups before spamming its members.

"If an administrator of a group leaves, anyone can register as a new admin," CYI told AFP. "So, in order to take control of a Facebook group, all you really have to do is a quick search on Google."

Admins have the ability to change just about everything about a group. To illustrate its point, CYI renamed each "hijacked" group with its name and logo, before posting messages explaining that the group had been hijacked and attempting to justify the attack. CYI promised to restore the groups to normal once it had made its point.

In a statement, Facebook said no confidential information was exposed by the stunt. It claimed the issue affected only small, abandoned groups.

There has been no hijacking and there is no confidential information at risk. The groups in question have been abandoned by their previous owners, which means any group member has the option to make themselves an administrator in order to continue communication to the group.

Group administrators have no access to private user information and group members can leave a group at any time. For small groups, administrators can simply edit a group name or info, moderate discussion and message group members. The names of large groups cannot be changed nor can anyone message all members.

In the rare instances when we find a group has been changed inappropriately, we will disable the group, which is the action we plan for these groups.

This sanguine response is unlikely to satisfy CYI, whose manifesto can be found on controlyour.info here. CYI claims its main goal is to "draw attention to questions concerning online privacy awareness". Sections of its site point to its interest in information left via YouTube and about password security as well as about data held on social networking sites. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Hackers thrash Bash Shellshock bug: World races to cover hole
Update your gear now to avoid early attacks hitting the web
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
prev story

Whitepapers

A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.