UW Computer Security Research and Course Blog

“Facebook is slowly tearing down the wall around its silo and is starting to expose more of its data to the outside” (From Facebook Opens Up: Lets Developers Access Status Updates, Notes, Links, and Videos). Now Facebook allows the third-party developers to have access to users’ private data, such as status updates and notes. This is intended to make both developers more flexible in making and using applications. Moreover, Facebook wants to make more and more people use Facebook by join the OpenID foundation. However, weaknesses and potential security problems are found by doing this update for Facebook’s API.

Assets and security goals

• Since the Facebook joined the OpenID foundation, people who posses OpenID (one account, one password, multiple sites login) account will also have Facebook account. Thus, more and more people will join Facebook and use Facebook for networking.
• The developers’ application should be verified before release it to public and allow people to use it. Moreover, there should be stricter terms and conditions on registration for developer, such as phone number validation or email validation, so that they will not misuse users’ private information (pictures, videos…etc)

Potential adversaries and threats

• By allowing the third-party developers to post links, it means that the chance of getting exploit URLs is higher. Since most developers have knowledge in writing codes, they can simply trick the user by asking them to download a program for the application which actually is an exploit.
• By Facebook joining the OpenID foundation, users who use OpenID for maintaining different sites’ account will have the same password and account name.

Potential weaknesses

• It is easier for developer to write application to access any status, links and notes from the active user or their friends. However, this brings up the privacy issue where the user is not aware that the new application shares their private data (videos, pictures, notes) to all their friends instead of some close friends.
• The malicious people can first randomly add friend. Next, he/she can post bad video. If there is a real application that make them post videos to other users’ page because the malicious person is in other people’s active friend list. On the other hand, the malicious developer can just upload bad video to users’ accounts if the users accidently run the application.

Potential defenses

• For preventing developers from posting exploit URLs, each and every application’s code has to be filtered. The filter program will have to be able to filter all possible keywords for making exploit URLs (i.e. filter the word script).
• All programs are not perfect; even they can still miss something when using the filter. Thus, it is better to have trustful third-party to verify the developer’s applications or the developers need to get certificate from that third-party.
• Even though OpenID makes it easier for users to make account on several sites, it will be more secure if they provide two-way system defense such security questions for each account.

Risks

• For OpenID account, if an attacker got one password for an account, he will have access to the victim’s other websites that joined the OpenID foundations. Then, the attacker can then change the user’s password so that the user will not have access to his Facebook, VeriSign or Yahoo….etc. There are a lot of different things that the attacker can do if they own the password.
• According to the AllFacebook, there is upload limits for videos. But the users can remove this limit by verifying their phone number (since the article does not specify about phone number verification, we assume that users will have to type in their phone numbers and get the verification code). If the malicious people steal users’ phone, they can use it to remove their limit. Then the user will not be able to take out the limit. Moreover, this will make people try to steal other people’s phones.

Conclusions

By allowing developers to have access to some of users’ private data and uploading videos, more interesting applications for Facebook for sure will be found. However, not many people aware of the risks. Their private data could possibly be in danger. Thus, by giving more access for developers, Facebook also have to make the rules and regulations for third-party developers to be stricter in order to prevent bad things to happen.