Feeds

Code for open-source Facebook littered with landmines

Diaspora release not for noobs

The essential guide to IT transformation

Four New York University students who raised a bundle of cash to build a privacy-preserving alternative to Facebook sure have their work cut out for them.

The release of pre-alpha source code for their Diaspora social Website was only a few hours old on Wednesday when hackers began identifying flaws they said could seriously compromise the security of those who used it. Among other things, the mistakes make it possible to hijack accounts, friend users without their permission, and delete their photos.

“The bottom line is currently there is nothing that you cannot do to someone's Diaspora account, absolutely nothing,” said Patrick McKenzie, owner of Bingo Card Creator, a software company in Ogaki, Japan.

“About the only thing I haven't been able to do yet is to compromise the security of the server that Diaspora is installed on. That's not because that isn't possible. If a professional security researcher goes after this, I have every confidence that they will be able to do that.”

Diaspora grew out of deep-rooted dissatisfaction many people expressed earlier this year in response to Facebook privacy changes that without warning exposed details many users didn't want to share with world+dog. When the developers sought funding, according to The New York Times, they asked for $10,000. So strong was the discontent of some Facebook users that they ended up with donations exceeding $200,000.

McKenzie first voiced his concerns on a online hacker discussion devoted to Wednesday's release. Diaspora representatives didn't respond to an email seeking comment.

To be fair, the Diaspora creators are very clear that Wednesday's release comes with “no guarantees” and includes known “security holes and bugs.” But McKenzie said he isn't sure that message has reached some of the project's most fervent fans.

“If you've been on the Diaspora mailing list, there are people who are clearly not security professionals who are asking each other, 'OK, what do I need to do to get this running because I hate being on Facebook,'” he said. “They are going to get burned in a very serious manner very, very quickly if they actually succeed in doing what they're trying to do.”

He's not the only one who has found bugs. Among the list of reported issues in the code are numerous XSS — or cross-site scripting — attack vulnerabilities, a session token that's easy to steal, a lack of user input filtering, and repeated errors when a null character is entered into web fields.

Encryption features in Diaspora, which runs on the Ruby on Rails software stack, is also susceptible to a recently enhanced “Oracle Padding attack,” being demonstrated this week at the Ekoparty conference in Argentina, but then again, so are many banking apps. ®

5 things you didn’t know about cloud backup

More from The Register

next story
Ice cream headache as black hat hacks sack Dairy Queen
I scream, you scream, we all scream 'DATA BREACH'!
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
KER-CHING! CryptoWall ransomware scam rakes in $1 MEEELLION
Anatomy of the net's most destructive ransomware threat
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
prev story

Whitepapers

Gartner critical capabilities for enterprise endpoint backup
Learn why inSync received the highest overall rating from Druva and is the top choice for the mobile workforce.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.