Feeds

Facebook scoffs at hacktivist stunt

Nothing to see here. Please move along

SANS - Survey on application security programs

Hacktivists took over control of almost 300 Facebook community groups in a bid to highlight concerns over how easy it might be for miscreants to hijack a shared interest group on the social networking site. Facebook said no hacking was involved in the attack, which it dismisses as a stunt.

The Control Your Info group, on the other hand, claims its take-over of 289 Facebook groups illustrates why the social networking site ought to tighten its security policy. The group exploited Facebook control features it argues are insecure, rather than website security bugs or vulnerabilities.

Facebook groups exist as venues for people with common interests to congregate and exchange ideas, pictures, and the like. The way Facebook works means that if administrator of a group leaves, any other member of the group can take over control.

Control Your Info (CYI) argues the approach is all wrong and control ought to pass automatically to the next most senior member of an online hang-out. As things stand, CYI reckons the feature could allow spammers to latch onto leaderless groups before spamming its members.

"If an administrator of a group leaves, anyone can register as a new admin," CYI told AFP. "So, in order to take control of a Facebook group, all you really have to do is a quick search on Google."

Admins have the ability to change just about everything about a group. To illustrate its point, CYI renamed each "hijacked" group with its name and logo, before posting messages explaining that the group had been hijacked and attempting to justify the attack. CYI promised to restore the groups to normal once it had made its point.

In a statement, Facebook said no confidential information was exposed by the stunt. It claimed the issue affected only small, abandoned groups.

There has been no hijacking and there is no confidential information at risk. The groups in question have been abandoned by their previous owners, which means any group member has the option to make themselves an administrator in order to continue communication to the group.

Group administrators have no access to private user information and group members can leave a group at any time. For small groups, administrators can simply edit a group name or info, moderate discussion and message group members. The names of large groups cannot be changed nor can anyone message all members.

In the rare instances when we find a group has been changed inappropriately, we will disable the group, which is the action we plan for these groups.

This sanguine response is unlikely to satisfy CYI, whose manifesto can be found on controlyour.info here. CYI claims its main goal is to "draw attention to questions concerning online privacy awareness". Sections of its site point to its interest in information left via YouTube and about password security as well as about data held on social networking sites. ®

High performance access to file storage

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.