Thursday, July 15, 2004

Security issues at Friendster

The latest Crypto-Gram newsletter points out a Wired article that documents some serious security holes in Friendster.
    Moore has written several Unix shell scripts that run on-the-fly background checks on people who use wireless networks in his neighborhood. With the help of the popular network-traffic analysis utility Netcat, his script "sniffs all the traffic on the Wi-Fi network, greps for email addresses, and looks them up on Friendster." Then the script sends Moore an email that includes a link to the users' Friendster profiles, along with their pictures and login IDs.

    At a time when it seems that nearly everyone has a Friendster account, Moore says, "You can do really creepy stuff. You can get the profiles on everyone in your local café, then see who their friends are, and just walk up to them and ask, 'Aren't you Tom's friend?'" More disturbing, Moore's toolkit allows him to get zip codes and last names, making it easier to track down the real-world addresses of his targets, thus opening up a whole new universe of creepiness. "You could do all sorts of mean things," he says.

    [Another trick] mines for information about anyone who looks at his profile and clicks through to his Web site. "I get their user ID, email address, age, plus their full name. Neither their full name nor their email is ever supposed to be revealed."

    Notified of the security holes, Friendster rep Lisa Kopp insists, "We have a policy that we are not being hacked." When I explain that, policy or no, they are being hacked, she says, "Security isn't a priority for us. We're mostly focused on making the site go faster."
"We have a policy that we are not being hacked." Wow. What more is there to say? Wow.

No comments: