Feeds

Code for open-source Facebook littered with landmines

Diaspora release not for noobs

Top three mobile application threats

Four New York University students who raised a bundle of cash to build a privacy-preserving alternative to Facebook sure have their work cut out for them.

The release of pre-alpha source code for their Diaspora social Website was only a few hours old on Wednesday when hackers began identifying flaws they said could seriously compromise the security of those who used it. Among other things, the mistakes make it possible to hijack accounts, friend users without their permission, and delete their photos.

“The bottom line is currently there is nothing that you cannot do to someone's Diaspora account, absolutely nothing,” said Patrick McKenzie, owner of Bingo Card Creator, a software company in Ogaki, Japan.

“About the only thing I haven't been able to do yet is to compromise the security of the server that Diaspora is installed on. That's not because that isn't possible. If a professional security researcher goes after this, I have every confidence that they will be able to do that.”

Diaspora grew out of deep-rooted dissatisfaction many people expressed earlier this year in response to Facebook privacy changes that without warning exposed details many users didn't want to share with world+dog. When the developers sought funding, according to The New York Times, they asked for $10,000. So strong was the discontent of some Facebook users that they ended up with donations exceeding $200,000.

McKenzie first voiced his concerns on a online hacker discussion devoted to Wednesday's release. Diaspora representatives didn't respond to an email seeking comment.

To be fair, the Diaspora creators are very clear that Wednesday's release comes with “no guarantees” and includes known “security holes and bugs.” But McKenzie said he isn't sure that message has reached some of the project's most fervent fans.

“If you've been on the Diaspora mailing list, there are people who are clearly not security professionals who are asking each other, 'OK, what do I need to do to get this running because I hate being on Facebook,'” he said. “They are going to get burned in a very serious manner very, very quickly if they actually succeed in doing what they're trying to do.”

He's not the only one who has found bugs. Among the list of reported issues in the code are numerous XSS — or cross-site scripting — attack vulnerabilities, a session token that's easy to steal, a lack of user input filtering, and repeated errors when a null character is entered into web fields.

Encryption features in Diaspora, which runs on the Ruby on Rails software stack, is also susceptible to a recently enhanced “Oracle Padding attack,” being demonstrated this week at the Ekoparty conference in Argentina, but then again, so are many banking apps. ®

Combat fraud and increase customer satisfaction

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Canadian taxman says hundreds pierced by Heartbleed SSL skewer
900 social insurance numbers nicked, says revenue watchman
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
Burnt out on patches this month? Oracle's got 104 MORE fixes for you
Mass patch for issues across its software catalog
Reddit users discover iOS malware threat
'Unflod Baby Panda' looks to snatch Apple IDs
Oracle working on at least 13 Heartbleed fixes
Big Red's cloud is safe and Oracle Linux 6 has been patched, but Java has some issues
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.