Security Review: Facebook

Social networking sites allow millions of people around the world to communicate with each other, in addition to sharing pictures, videos, stories, and other useful information. By far, the two most well known social networking sites are MySpace and Facebook. As if you did not already know, users on Facebook mainly communicate via short written messages on the “Facebook walls” of other users. Users can communicate more privately with “Facebook messages”, and can also create “Facebook events” that describe pertinent information regarding upcoming community events. Facebook has even become a place of social activism: multi-member “Facebook groups” can be created for a wide variety of social, political, economic, and environmental causes.

Depending on the privacy settings of a particular user, other users can see the user profile that user. Facebook accounts contain information that would be useful to potential employers, coworkers, friends, family members, and “romantic interests”. As a result, Facebook users and administrators require a high-level of integrity—if the information contained within Facebook cannot be mostly accurate, the appeal of the social networking site would markedly diminish. In addition, there would also be information, pictures, or notes that Facebook users want to keep away from potential employers, nosy coworkers, and family members. As such, confidentiality is also important. Facebook administrators also want authorized users to be able to access the information stored on Facebook as easily as possible without jeopardizing security.

However, cyber-attackers may want to achieve alteration or disclosure of important Facebook information, because the hackers could use that information for personal financial gain—for instance, they could sell other users’ e-mail addresses and phone numbers—or to make other job applicants appear less favorable, etc. Furthermore, if hackers gain access to a Facebook account, they can easily “spam” the friends of the compromised user with links to phishing scams, pornography, or the like. Also, if a denial of service attack was implemented, there would be an uproar from millions of Facebook users.

As a Facebook user for the past two and a half years, I have not once been asked to change my password. Therefore, I run the risk of hackers determining my password, which would lead to my account being compromised. In addition to that, another vulnerability that Facebook cannot easily address is the very nature of social networking systems. If one account becomes compromised, that account could enable other accounts to be compromised. Furthermore, since Facebook has no method for ensuring that passwords are “strong” as opposed to “weak,” it is vulnerable to a brute force attack. Facebook is even vulnerable to XSS attacks that infect users with spyware, adware, and other types of malware.

In the end, Facebook is prone to the various vulnerabilities, risks, and threats to which all large social networks are prone. However, the Facebook network complicates these vulnerabilities by allowing so many users easy access to the account information of other users. The networking and information-sharing capabilities of Facebook users are necessary for a successful social networking site, though, and should not be truly avoided or transferred. In fact, I believe a combination of risk mitigation and risk acceptance would be more proper. Facebook must simply accept that it will be prone to the security vulnerabilities and threats common to social networking sites. However, Facebook can take preventative measures to make itself less vulnerable to brute force attacks and XSS attacks. For example, it can mandate that passwords be “strong” and be updated regularly.