There was a lot of hoo-ha
and speculation yesterday
after Mark Zuckerberg’s
official Facebook fan page
was updated with an
unauthorised post.
Initially, Facebook declined
to comment on what – at
first glance – appeared to be
an embarrassing security
faux pas by Zuckerberg or
one of his staff authorised to
update the page.
Understandably there was
speculation that Zuckerberg
or one of his colleagues
might have had their
passwords guessed or
stolen, or perhaps had been
‘sidejacked’ by a tool such as
FireSheep while using an
unencrypted free WiFi
hotspot.
Those were certainly our
first thoughts, but now new
information shared by
Facebook’s security team
with the press tells a
different story.
For instance, CNET’s Elinor
Mills reports that Facebook
discovered that an API bug
allowed unauthorised
parties to post status
updates to public Facebook
fan pages.
This meant that personal
information wasn’t stolen
from anyone’s Facebook
account – which is a very
good thing.
So, it wasn’t a story of a 26-
year-old logging in at
Starbucks and not realising
that someone could be
intercepting the
communications. And it
wasn’t a tale of a junior
member of staff being given
the keys to administer a
page with 2.8 million fans,
only to choose a weak
password like “123456789″.
Those kind of mistakes
aren’t uncommon, of course,
and are security issues
which you should be mindful
of if you are responsible for
the protection of computers
and online activity inside
your own organisation.
Instead, it turns out that the
true story of the Zuckerberg
fan page hack is much
worse. Because a
vulnerability in Facebook’s
code allowed unauthorised
parties to post updates to
pages, which could have
potentially been used for the
purposes of phishing, spam
and even malicious attack.
And it wasn’t just
Zuckerberg’s fan page which
was affected. Facebook
declined to say which other
pages had been hit by
hackers exploiting the
vulnerability – but it appears
that other “high-profile”
pages were also impacted.
Facebook has not revealed
whether they believed that
French President Nicolas
Sarkozy’s fan page (which
was also breached earlier
this week) had been affected
by the same bug, but the
suspicion must be there.
So, what does this mean for
you if you’re a sysadmin
responsible for securing
your company’s Facebook
presence?
Well, the good news is that
Facebook says the API bug
has now been fixed. They
haven’t, however, said if they
have informed the owners
of any other Facebook fan
pages or removed posts
which may have been
published via the flaw.
So, if you are the
administrator of a popular
page on Facebook, it
wouldn’t do any harm to
check that all is in order. You
may also want to ensure that
your public forums are
regularly monitored just in
case a similar incident
occurs in the future, which
might result in your
Facebook fans receiving
unauthorised updates.
After all, one wonders
whether the API vulnerability
would have been found so
promptly if it hadn’t
impacted the official fan
page of Facebook’s CEO.
Furthermore, now would be
a good time to audit your
Facebook page
administrators – ask yourself
who has access to post to
your company’s pages and
are they following sensible
security practices (such as
unique, hard-to-crack
passwords and use of https
when accessing the site).
This may not have been the
issue that caused the
Zuckerberg fan page
defacement, but it still makes
a lot of good sense to follow
these guidelines inside your
company.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment