Will Facebook's Radical New Changes Threaten Users' Security?
You're stuck with Timeline.
This month, Facebook users will enter a new world of social experience, one in which the Facebook universe stretches across the Web, putting the individual user at the heart of it all.
"We want to design a place that looks like your home," Facebook founder and chief executive officer Mark Zuckerberg said when he unveiled two wide-reaching changes to the Facebook interface at the F8 developers' conference in San Francisco last month. "Facebook is at the intersection of technology and social change."
That's the way Zuckerberg and his employees would like you see the changes. But to many security experts, Facebook's new features expose users to greater risk of identity theft and hacker attacks, largely because of the sheer amount of information about individual users that will now be displayed and communicated among hundreds of websites.
The first major Facebook revamp is the introduction of the Timeline. It replaces the Profile page and displays all of the Facebook posts each user has ever made in reverse chronological order, in effect creating a compact biography with major milestones highlighted.
Users are encouraged to add old content such as wedding photos or graduation videos to enrich their Timelines. (If you'd like to enable the Timeline on your Facebook account now, here's how.)
The other change expands the Open Graph protocol, which already pulls content and information from non-Facebook websites into user profiles. The new Open Graph makes it even easier to share online text, music and video with other Facebook users.
Reaching into the past
Graham Cluley, senior technology consultant at Abingdon, England's Sophos Labs, notes that until now, it's been difficult for identity thieves and "sextortionists " to access Facebook users' old posts and photos. But the Timeline changes all that.
"The Timeline exposes information in a much easier way," Cluley said. "In the past, it was more of a palaver to pull up older stuff."
For example, now that a user's every post is on the Timeline, a simple browser-based text search could quickly find details such as the user's mother's maiden name, her favorite pet or the street she grew up on. All three are answers to the type of security questions used by AOL, Apple, Google, Yahoo and countless other online service providers, even banks, to help users restore lost passwords.
With that personal information in hand, it's a simple matter to take over someone's Web-based email account and to lock out the legitimate owner. If that email address was used to set up a Facebook account, then that could be hijacked as well.
Such a nightmare scenario came to light in January at the "sextortion" trial of a California man named George Bronk , who admitted that he'd used those exact methods to take over the email accounts of hundreds of women. He blackmailed them by threatening to make public nude photos he'd found in their "sent" folders and demanded more nude photos as the price of his silence.
Bronk had to work hard to find the information he needed, but the Timeline would have simplified his task. Even now, not all Facebook users are careful about deleting old posts or making sure their privacy settings are up-to-date.
And there's one more thing: Facebook is giving users only five days to determine what information about themselves is hidden, and what's not, before their Timelines are published to the entire world. It takes more than one step to make sure old posts are private. (CIO magazine has detailed instructions on how to maximize Timeline privacy.)
Everything points back to Facebook
The Open Graph update raises a different set of security and privacy questions.
Under the existing Open Graph system, when a logged-in Facebook user hits the "Like" button on a third-party website, the page he's visited pops up in the "Likes and interests" section of his Facebook profile page.
The new Open Graph eliminates the need for the "Like" button. Third-party sites are creating social apps that will automatically communicate with Facebook; once authorized, they send information about your online movements back to your Facebook profile for all your friends to see in real time.
For example, if you're browsing the Washington Post's website, the Post's social app is busy posting links to every article you look at onto your Facebook wall automatically. Similarly, the app for Spotify, an music-streaming service, tells your Facebook friends what you're listening to. (At the F8 conference, Zuckerberg called this "frictionless" sharing.)
Don DeBolt, director of threat research at Total Defense in Islandia, N.Y., said the updated Open Graph protocol could create more openings for cross-site scripting attacks, which inject harmful code into your browser when you click on a malicious link.
Many cross-site scripting attacks steal cookies from Web pages to impersonate the user on other sites such as Facebook. To DeBolt, the more information is available on a page, the easier it is to stage a cross-site scripting attack.
Both DeBolt and Cluley note that the new security issues Facebook might soon face have more to do with the complexity of the system and the way people use it than the actual technology used.
For example, DeBolt notes in his firm's best-practices document that it's good to limit the number of apps linked to any social-networking site, because more complexity means more vulnerable points. This is especially important on the networks people use at work.
"If you are handling system information or corporate affairs requiring security, it's a good idea to separate business from personal communications," DeBolt said.
Facebook app developers are conscious of the potential problems. Hakim Sadik, one of the directors of Avenuesocial, a social-media application developer based in Sunnyvale, Calif., said some early apps spammed Facebook users, forcing Facebook to limit how frequently apps could post to accounts. Future bad actors who steal victims' information could also write apps that did malicious things, but Sadik said he thought that wasn't likely.
"It's why you have an approval process," Sadik said.
Cluley, however, said the approval process for Facebook apps is basically nonexistent.
"You only have to give them a mobile phone and credit card number," Cluley said.
A Facebook spokesperson said the company has a team in place to both vet Facebook apps using a "risk-based approach," and to detect violations of Facebook's policies. She also said Facebook can take steps to remove bad actors before they gain access to data, adding that new apps will feature in-line privacy controls to let users manage them on an individual basis.
But that still leaves a lot of room for unethical apps that lead users to survey scams and the like. Then there's the social engineering aspect: Many people just click on "yes" when asked to give permission for apps to access sensitive data, without thinking it through.
"What I would like to see is more like Apple's walled garden," Cluley said, referring to Apple's tight control over iPhone and iPad apps, and its famously tough approval process. "With a real vetting system."