Home > Blogs > Security Issues of Social Network Sites

Security Issues of Social Network Sites

Social networks is one of the most advanced forms of communications. The network of social relations, that is built during our everyday life, can be moved to the Web, organized and expanded with new contacts. The social network phenomenon was born in the USA and developed around three main categories: professional links, friendship and love relations.

What Social Networks Are

Social networks are very widely diffused today. A social network is a social structure made of people that are tied by one or more specific types of interdependency, such as values, visions, ideas, financial exchange, friendship and so on. A social network can be represented as a graph, where nodes are generally individuals or organizations, edges are relationships between two nodes, as in figure 1.

The "Internet version" of social networks is one of the most advanced forms of communications. The network of social relations, that is built during our everyday life, can be moved to the Web, organized and expanded with new contacts. The social network phenomenon was born in the USA and developed around three main categories: professional links, friendship and love relations.

Online social networks had an "explosion" in 2003, thanks to the popularity of some sites, such as Friendster, Tribe.net and LinkedIn. Other social networking sites, such as Orkut (by Google) and Kibop, appeared in 2004. Nowadays the most popular ones are Facebook and Myspace, with 132 and 117 million users respectively in 2008.

Further evolutions are represented by semantic social networks, connecting both people and blogs, like StumbleUpon and Funchain.

To enter a social network you have to build your own personal profile, giving personal information, such as your email address, but also information about your own interests, hobbies, work experiences, work references and so on. At this point you can invite your friends to become part of your network of contacts, and so can they, in such a manner that the network of contacts widens more and more. It is possible, of course, to build thematic virtual communities, according to your hobbies or business area, adding users and getting new friends or business contacts.

Social networks can be used also in order to try to solve the “single sign on” problem. For instance, a new “Facebook Connect” button is appearing on some websites: it saves visitors from having to fill out yet another tedious registration form, upload another profile picture and memorize another username and password. Instead, visitors can now sign into other sites using their existing identity on Facebook. The big new idea seems to be “dynamic privacy”. It means that, as the social network reaches out across the wider web, users will in theory take their privacy settings with them. Wherever on the web they are, they will be able to choose who among their friends will and won’t see what they are up to. As soon as a user demotes a friend to a lower level of intimacy in his Facebook settings, this will also take effect on other sites.

Security Aspects of Social Networks

Social networking sites depend on millions of people voluntarily divulging accurate personal information. In a world where identity theft is a growing concern and spammers can't wait to get their hands on your email address, how do you take advantage of what these "Web 2.0" sites have to offer while minimizing risks for your personal information?

First of all, be conscious of the psychological aspect. Since most people access social network sites from the comfort and privacy of their home or office, they can be lulled into a false sense of anonymity. Additionally, the lack of physical contact on social network sites can lower users' natural defenses, leading individuals into disclosing information they would never think of revealing to a person they just met on a street, or at a cocktail party.

Your personal information is probably already stored in lots of databases, but what's unique about the set of personal data which is saved in famous social networking sites is that it includes intimate details (like your views on politics, religion and relationships) and that it's tied to a picture of you. This combination of identifying details with a visual image is one of the things that makes these kinds of sites so interesting and compelling, but also so potentially dangerous. Theoretically, someone could find out what town you live in and where you are going to be at a certain hour of a certain day. Using your picture, she/he could show up there and try to convince you she/he is a long lost cousin of yours who's down on his luck and needs some money.

The lack of physical contact makes it easier to build false profiles too, for example you think you are chatting with a CEO from somewhere while you're actually chatting with a completely different kind of person from a completely different place.

Excessive blabbing on social sites can generate unwanted gossip about the company in which a person works and its plans, while unscrupulous competitors can social engineer employees into revealing intellectual property.

So, pay attention to the information you insert, be discreet, don't trust people immediately and take the time to read and understand the privacy related documents that are published on these sites. Don't share any information unless it's absolutely necessary.

Some experts underline the fact that, even if different social networks sites are lulled together when dealing with their security issues, it is more proper to consider them separately too, as they all have their specific security weaknesses. For example, individuals are considered to be more insulated from spam or worms on LinkedIn than on MySpace or Facebook, but organizations may be more susceptible to a targeted attack via LinkedIn.

LinkedIn's problem isn't as much technology as the common practice of sharing of names, titles, and organizations. It can be very easy to get an organizational chart to be used for an attack. Once an attacker finds out the names of who works with whom, for instance, she/he could send a carefully crafted email via LinkedIn to the victim's human resources department head, posing as a headhunter recommending a candidate for an open position. But his email could carry a malicious Word file, rather than a resume. When opened, the file could gain ownership of the victim PC and steal other company information. Basically, information about how people are connected, the work they do and their positions are all precious information for a potential attacker.

Letting users authenticate to the site using an email address is also considered not optimal for security.

Anyway, LinkedIn is generally safer than MySpace and Facebook, mainly because it's less feature-rich and thus opens fewer potential attack vectors, experts say.

MySpace was one of the first social networking sites, and it's still one of the largest ones. Its sheer size has made it an obvious target for spammers, hackers, and online predators. MySpace is also a victim of its own business model, where the user controls his or her content and presentation. Users can add banners to their pages, and embed other Web technologies and links, so that there are many opportunities to link to dangerous things and to embed malware on the pages. In MySpace there's often spam and it has had some cross-site scripting (XSS) flaws exposed. Besides the infamous Samy worm attack in 2005, the site was reported to have some troubles in keeping some private data private.

Facebook, now the first social networking site in the world, can be considered to have security problems similar to those of MySpace, but it's approach is a bit different. Part of the reason Facebook is so popular is that many users were put off by the anarchy of MySpace and see Facebook as more controlled and conservative, even if this is far from saying that Facebook is absolutely safe.

In particular, Facebook relies on third party Java applications, so that the user is not only entrusting Facebook with her/his login and password but also must trust the third-party applications that provide tools for Facebook users. There is a potential danger that the code you're running on the site is malicious or points you to a site that contains malicious code.

As it has been said, Facebook lets you add applications and tiny programs that run inside Facebook itself. Facebook granted programmers free access to the Facebook platform in May of 2007, meaning that anybody with the necessary skills could create an application, so that the number of Facebook applications has grown impressively.

Facebook applications are small programs that work inside Facebook. They're similar to Web browser plug-ins (like video players) in that they let you do something you couldn't do before you installed them. They're easy to install and appear on your Facebook Applications menu.

Often Facebook applications are just "humorous time-wasters", like the ones that let you spray-paint graffiti on someone's wall, but there is also an increasing number of more serious, business-oriented applications: Professional Profile, for example, lets you post and edit your resume on Facebook, then track who views it. The downside to using Facebook applications is that you automatically grant the application's developers access to your profile, which poses a security risk.

After Facebook introduced new options and a new privacy interface in 2008, a security expert demonstrated it was possible to exploit security holes and access private details. Then Facebook installed a bug fix to prevent it from happening. This recent Facebook breach puts in evidence how the social networking world is still evolving and continues to harbor a host of potential threats to personal and sensitive information. Businesses have been worried about social networking sites ever since they exploded in popularity. As well as expected loss in productivity, there are also worries about employees releasing confidential information.

An example of relatively recent malware appeared on Facebook is "Secret Crush": you receive a fake message saying a friend of yours has secretly fallen in love with you. To discover her/his identity, you're invited to install an application and tell your friends to do the same. The application then sends you undesired ads instead of revealing the identity of the  person you were looking for.

Another worm that was detected in 2008 was called "Boface.G". It uses social Facebook and MySpace to spread. This malicious software adds a post containing a link to a fake YouTube video, apparently coming from a known person. If you click on the link, a message containing the same link is sent to all your friends and you are invited to download a Flash Player update to actually see the video. Instead of a Flash update, it is a copy of the worm that attack all you contacts.

Many attacks now have nothing to do with an exploit and vulnerabilities, they can be classified as "phishing", they're about persuading people to click a link.

Something Specific About Facebook

Now let's consider, in particular, the one that has become the first and most famous social networking site: Facebook. Today it's frequent to hear people saying “everybody is on Facebook”. This is not to suggest to use this site instead of other similar sites, just take it as an example. Most advice that is given here is valid, “mutatis mutandis”, for any social networking site, not just for Facebook.

Privacy, as was said, is the first concern. People you don't imagine can get access to your profile. If you think only people who live near you or work at your company can view your profile, you're wrong. Hiring managers, parents, teachers, police officers and other folks who are determined to view your Facebook profile can find a way to do so, either by asking a co-worker or friend who is a member of your Facebook network to look up your information, or eventually by getting a court order.

There are some obvious simple advice, such as:

  • Don't share your password with anyone.
  • After you type your email address and Facebook password into the login page, make sure the "Remember me" check box is turned off before you click the Login button.
  • Log out when you're finished using Facebook.

Besides these simple recommendations, in order to keep your private data safe, you can adopt, mainly, three strategies:

  1. Try to avoid to put sensitive info on Facebook, choose what kind of information you share with the site and how much. Choose to put just the essential things, for example if you deal with hobbies (music etc.) don't add non-essential work information.
  2. Customize your privacy settings, as will be explained below.
  3. If the worst happens, fight back blocking accesses and eventually reporting the violations.

You can make your entire profile off limits to certain groups of people, such as the people in one of your networks. You can also hide specific parts of your profile (like your contact information and which applications you've added) from whole groups of people, such as one of your networks or all your friends. To do so, at the top right of any Facebook screen, choose the "Privacy Settings" item from the "Settings" menu. A "Privacy Overview" page appears, letting you choose among the following privacy related topics:

  • Profile: control who can see your profile and personal information. For example, you can decide that your phone number can be seen by all your direct friends, both friends and friends of friends, no one or a customized list of persons.
  • Search: control who can search for you (everybody, friends, etc.) and how you can be contacted.
  • News Feed and Wall: control what stories about you get published to your profile and to your friends’ News Feeds. For instance, you can decide if a single action such as adding a new friend is visible to all your friends or not.
  • Applications: control what information is available to applications you use on Facebook. Just to give an example, you can decide applications can't access the information regarding your work history or your relationship status. You can also block some applications completely.

If you're being harassed by another Facebook member, you can take action. The first thing you can do is stop her/him from contacting you on Facebook. If that's not enough, you can go a step further and report the person to Facebook.

Facebook lets you prevent individual members from knowing that you're even on the site. Blocking someone keeps her/him from seeing your profile, finding you with Facebook searches, or contacting you via Facebook. It is possible to block someone in the main Privacy page.

Facebook makes reporting potential violations easy by displaying a "Report" link on every Facebook application page and next to virtually every potentially offensive piece of info members add to the site, from discussion threads to wall posts.

Shon Harris, and the Logical Security team, continually monitor the environment and the industry and develop programs to assist companies in achieving real security and measurable results. The Logical Security information security articles and materials provide organizations with the knowledge and strategies vital to managing and maximizing an enterprise's security.