Even as the shadowy hacker group Anonymous threatens to take on the mighty social-networking site Facebook, claiming the group will 'kill' Facebook on Nov. 5, some researchers are criticizing Facebook security, saying it could be better.
"We started testing the site and reporting vulnerabilities to them," says Mandeep Khera, chief marketing officer at security firm Cenzic about Facebook, which in late July started a bug bounty program encouraging researchers to confidentially report any security issues directly to Facebook. But Khera says Facebook brushed off the issues Cenzic raised in the last few days about some weaknesses the security firm believes it has identified in Facebook log-in and passwords, among other things.
However, Khera says Facebook yesterday apparently corrected one issue regarding ineffective session termination using Internet Explorer browser, which occurred when the user logged out using IE and backspaced a few pages, a refresh of the Facebook page automatically logged you in again. "They said they can't reproduce the vulnerability but it looks like they fixed it," Khera says.
Cenzic is criticizing the password system that Facebook uses, which Khera says is six characters and "takes 30 seconds to crack." He also faults Facebook for not having SSL on for the initial user registration. "This can be sniffed by anyone," he says. He also complained about Facebook's auto-password-complete function, saying, "As a good practice, it shouldn't complete the password automatically." He faulted Facebook's "bad login message" because he says it tells too much in saying you didn't enter the right email for example.
But after Cenzic reported these findings to Facebook, "they came back and said, the password and SSL stuff, these are 'best practices,' not 'vulnerabilities,'" Khera says. "So our response was, shouldn't you be following best practices since everyone is hacking you?"
The hacker group Anonymous today allegedly threatened to 'destroy' Facebook on Nov. 5, accusing the social-networking site of spying on users, cooperating with authoritarian governments and abusing people's privacy. However, because the alleged Anonymous notification did not originate from better-known sources of Anonymous communiqués to the public, some are questioning whether this is an authenticate Anonymous threat at all. Anonymous, however, has proven diligent in carrying out threats it has made in the past.
Cenzic is offering developers for social-networking sites a free "healthcheck" vulnerability assessment using Cenzic's cloud-based offering, ClickToSecure Cloud.