Forgot your password?
typodupeerror
Security The Internet

Social Networking Sites Full of Security Holes 76

Posted by CmdrTaco
from the 2.0-is-harder-than-1.0 dept.
athloi writes "Social networking Web sites such as MySpace.com are increasingly juicy targets for computer hackers, who are demonstrating a pair of vulnerabilities they claim expose sensitive personal information and could be exploited by online criminals."
This discussion has been archived. No new comments can be posted.

Social Networking Sites Full of Security Holes

Comments Filter:
  • by UncleWilly (1128141) * <UncleWilly07@gma ... m minus caffeine> on Monday August 06, 2007 @02:22PM (#20132477)
    First a story about how restrictive social networking sites are.

    Now, so many holes in social networking sites your data is already in the hands of criminals.
  • by dave-tx (684169) * <df19808+slashdot&gmail,com> on Monday August 06, 2007 @02:23PM (#20132495)

    Of course it's full of holes. How else would it connect to the series of tubes?

  • by elrous0 (869638) * on Monday August 06, 2007 @02:26PM (#20132533)
    It wasn't a security hole that allowed someone to blackmail Miss New Jersey [gawker.com]. The real danger of these networking sites are dumbasses who post embarassing pictures and blogs about themselves IN THE OPEN, not anything a hacker needs to dig for.
    • Yes, but assume that some sites DO implement security features like only allowing your data to be shown to your "buddies". What happens when these security measures get broken?

      The other day i could watch a demonstration of a XSS attack on meebo due to lack of server-side validation.

      Now add a little AI / data mining to this:

      (New entry, mo/day/yr) "Here's a picture of me and my daughter Jessica playing on the NN. park" -> AI -> name: Jessica. Picture: (insert here). Last seen on: MMDDYY. Location: NN. Park.

      There! You could make a database of potential victims for threats, blackmailing, and what not. The only thing that makes me feel safe is that such AI data mining technology hasn't been developed... yet.

      As a rule of thumb, follow Murphy's law: What can go wrong, WILL go wrong (remember the recent SSN leaks?) Unless social networking sites have been PUBLICLY certified as having greater security than Fort Knox, stay away.
  • My girlfriend's MySpace page became hijacked fairly recently and was forced to post advertisements for some website. Needless to say, she knows better than to give out her username and password to any website. I also called up namecheap.com, the domain provider and complained about the website that was being advertised. Nothing will probably be done, and how this happened will probably remain a mystery. I've always wondered if myspace actually uses a challenge token to log in, and if all it takes is a repla
  • Applause (Score:1, Funny)

    by Anonymous Coward
    I, for one, applaud these social networking sites' quick response to the call to "open up".
  • Fortunately, I'm only logged into those sites as a 15-year-old girl from Kansas with a dog named Toto.

    At least I don't think they can get to me!
  • by Doc Ruby (173196) on Monday August 06, 2007 @02:40PM (#20132747) Homepage Journal
    Is giving your personal data to a company that sells it to spammers or anyone else with a buck when they start going bankrupt a "security hole"?
  • by sleekware (1109351) on Monday August 06, 2007 @02:43PM (#20132779)
    i wouldn't be surprised to find out that most of the hacked accounts had passwords that were something that was listed under the favorite things on a user's profile.
    • Re: (Score:2, Insightful)

      by Catil (1063380)
      There is another possible "attack-vector" - most email-accounts still offer or even require a security-question like "what is my pet's name?"
      Some of these can porbably be answered by anyone reading the profile or blog of someone else; and once you got access to the email-account, you could use the forgot-password-option on almost all other websites, including ebay and paypal.
      • by Ciarang (967337)
        I would like to think that nobody here is stupid enough to give the real answers to those kind of questions. The others will have the pet's name as their password anyway, so it's irrelevant.
        • by mh1997 (1065630)

          I would like to think that nobody here is stupid enough to give the real answers to those kind of questions. The others will have the pet's name as their password anyway, so it's irrelevant.
          I went to the Paris Hilton School of IT Security and the answer to all my questions is "tinkerbell."
  • by BobMcD (601576) on Monday August 06, 2007 @02:44PM (#20132791)

    Oh, wait a second, you said 'Holes'. Oh. Carry on, then...
  • by Anonymous Coward
    I thought it said "Social Networking Sites Full of Assholes".
  • perverts? (Score:2, Funny)

    by ZOMFF (1011277) *
    So how long till the "exploiting of the holes" gets taken out of context by parents and we're doomed to another discussion of "think of the children" and "sexual predators in the tubes".
  • No SSL (Score:3, Insightful)

    by jerbenn (903795) on Monday August 06, 2007 @02:58PM (#20132957)
    How can anyone expect to keep their myspace login credentials private when they don't even have the login page SSL'd? Those bunch of retards!
  • I'm guessing if you're searching MySpace for "juicy", then YES... you'll probably see more than a few 'security holes'. That's just the risk you take, as a user of The_Internet.

    /haven't tried, myself

  • Stereotyping? (Score:5, Insightful)

    by Andy Dodd (701) <atd7@@@cornell...edu> on Monday August 06, 2007 @03:18PM (#20133189) Homepage
    "Yet another MySpace security hole" somehow translates to "All social networking sites are full of holes"?

    Just a LITTLE bit of stereotyping in the article title I think?
    • by ad0gg (594412)
      Per the article, it wasn't a hole on the site. It was hole in older versions of firefox.
  • What I find funny is the fact that most of the poor souls that go to such sites looking to connect with other people are on a site where the people in charge couldn't care less... I signed up for My(waste of)Space when it showed up on the net because for some people I knew it was the only means to reach them any longer. I canceled my ISP and switched since then, asking the OZ like people running the show to please update my e-mail to reflect this change, more than a year has gone by. Has my e-mail been chan

    • by rainmayun (842754)
      To play devil's advocate, how could they reasonably have differentiated you from a malicious user intent on subverting someone else's account?
      • To play devil's advocate, how could they reasonably have differentiated you from a malicious user intent on subverting someone else's account?

        Erm, since I was actually logged into the account and provided everything they had asked for it might have been grounds for them to approve such a request thereby proving my identity... But then again you are right, from the eyes of the truly security conscious there is no way. Be sure I won't be e-mailing or faxing anybody a copy of my ID anytime soon, let alone divulging personal information on the internet to anybody in the name of security or not. Disturbing in the digiworld there is no real way for yo

  • by veganboyjosh (896761) on Monday August 06, 2007 @03:39PM (#20133499)
    This error has been sent to myspace.com's technical department.

    I'm sure Tom will get right on it.
  • by Anonymous Coward
    Get the end users to install curtains and a dog.
  • by British (51765) <british1500@gmail.com> on Monday August 06, 2007 @03:58PM (#20133727) Homepage Journal
    There's a feature where in Myspace you can set all your pictures to "private". But most idiots on myspace insist on having a myspace slide show on their profile page(along with 2000 other flash applets). Click on the picture in the slideshow, now you can see the album! Just use previous/next to navigate through them.

    Then there was the time I was on myspace, and a banner ad tried to send me a virus. You would think Myspace would be a bit more discretionary who it lets send banners over. Tsk tsk!

    Of course, not as fun as the images directory being left open on all angelfire pages. Some of those were fun to sort through, showing pictures not intended for the public(ie nudity, etc).
  • by Geekbot (641878)
    More like olds. This is like complaining that geocities is full of hacks.
  • ...Therefore, it must be a safe and smart thing to do. My Manager suggested I create a MySpace account to market myself to a broader audience. Buzz!!! Wrong answer, idiot!
  • Well of course they are. Any site that allows random users to post HTML content that then gets embedded in the site's pages (especially as extensively as sites like Myspace, etc allow it) is going to be subject to security flaws. Moral of the story: browse such sites using a secure browser, at least as secure a browser as you can find.
  • Seriously I know they aren't exactly the most prudish, but calling them holes is just crude.

    Oh we're talking about security? My bad.
  • I recall reading a story recently regarding this issue. From a girl's facebook account, researchers had enough information to steal her identity in 15 minutes. On a side note: I am not able to delete my facebook account. To fully delete it, I have to remove everything from my wall and every friend, I've ever had. Don't really want to do that. I can "disable" it. Personally, i would just like to be removed from their database. No seriously - i sent them the SQL statement that would probably take care of it.
  • A site where you put in your name, age, and location, for the soul purpose of meeting people is unsecured?

    What sort of fiend would pray on people who clearly state there name, address, age, and often occupation, hangouts, favorite things.

    I mean really, how much security did you expect. There is no anonymity on Myspace or Flicker, so who the hell would be surprised when it gets hacked. There are probably a million people out there that hate Myspace (or flicker/other social sites) some of them must have t
  • I work at a computer repair shop, and every single day I hear some variation of "as soon as you log in to MySpace you open a port in your firewall and that's why you have a virus." I've been asked before to block MySpace on customers' systems. My boss has complained that the store's computer has errors because someone logged on to MySpace (it has nothing to do with the 500+GB of customer backups on the system, because they're not on the same hard drive as Windows).

    And now you go and post this? Despite th

If a subordinate asks you a pertinent question, look at him as if he had lost his senses. When he looks down, paraphrase the question back at him.

Working...