Sep
19
2010

Open-source Facebook competitor is “Security Minefield”

Four New York University students who raised a bundle of cash to build a privacy-preserving alternative to Facebook sure have their work cut out for them.

The project in question, Diaspora, grew out of deep-rooted dissatisfaction many people expressed earlier this year in response to Facebook privacy changes that without warning exposed details many users didn’t want to share with world+dog. When the developers sought funding, according to The New York Times, they asked for $10,000. So strong was the discontent of some Facebook users that they ended up with donations exceeding $200,000.

On Wednesday, to show people just how far the project has come along, some of the open-source code planned to be used in a pre-alpha version of the website was made available to the public. However, only a few hours later, hundreds of security researchers and amateur hackers began identifying security flaws in the code that could seriously compromise those who used the service. Among other things, the mistakes make it possible to hijack accounts, friend users without their permission, and delete their photos. In fact, one user who voiced his concerns on an online discussion prior to this news being picked up on, stated, “About the only thing I haven’t been able to do yet is to compromise the security of the server that Diaspora is installed on. That’s not because that isn’t possible. If a professional security researcher goes after this, I have every confidence that they will be able to do that.”

To be fair, the Diaspora creators are very clear that Wednesday’s release comes with “no guarantees” and includes known “security holes and bugs.” However, it seems that message may not have reached some of the project’s testers and die-hard fans.

Other known bugs in the service include: numerous XSS — or cross-site scripting — attack vulnerabilities, a session token that’s easy to steal, a lack of user input filtering, and repeated errors when a null character is entered into web fields. The creators claim they are working hard to address all the vulnerabilities as quickly as possible and hope to have a more stable product by the pre-Alpha stages.

Digiprove sealThis informative article has been Digiproved © 2010

Comments are closed.