Risk
1/24/2011
12:06 PM
50%
50%

Facebook Defends Security Practices

The social network responds to report alleging it puts the safety of its 650 million users at risk by not better securing third-party applications.

Top 15 Facebook Apps For Business
(click image for larger view)
Slideshow: Top 15 Facebook Apps For Business

Is Facebook's app system inherently unsafe for the social network's 650 million users?

Responding to that exact criticism, the company last week issued a statement defending its security practices. "We have a dedicated team that does robust review of all third-party applications, using a risk-based approach. That means that we first look at velocity, number of users, types of data shared, and prioritize," said Facebook. "This ensures that the team is focused on addressing the biggest risks, rather than just doing a cursory review at the time that an app is first launched."

The company's statement was issued in reaction to a new threat report from Sophos, released on Wednesday. According to the report, "with furious debate raging every time privacy and security settings are tweaked on Facebook, it seems that functionality and ease-of-use triumph over security every time."

To better protect users, the report recommended that Facebook take a page from Apple and adopt a walled garden approach, in which applications would require "official approval before they can be uploaded to the site and shared with other users."

In its statement, however, Facebook seemed to stand by its post-screening security process. "We have built extensive controls into the product, so that now when you add an application it only gets access to very limited data and the user must approve each additional type of data," said Facebook. "We make sure that we act swiftly to remove/sanction potentially bad applications before they gain access to data, and involve law enforcement and file civil actions if there is a problem."

But Graham Cluley, senior technology consultant at Sophos, said the current approach can't keep up with the volume of new threats. "Facebook Security is effectively playing whack-a-mole, hammering the latest rogue app whenever they happen to spot it, and hoping that not too many accounts were compromised in the meantime. Unfortunately, quite often Facebook Security don't seem to spot the scams until they have spread far and wide."

Interestingly, the Sophos report released on Wednesday also found that "more than half of the companies surveyed imposed no limitations on accessing Facebook, Twitter, and LinkedIn -- and less than a quarter of firms completely block these sites."

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5211
Published: 2015-01-27
Stack-based buffer overflow in the Attachmate Reflection FTP Client before 14.1.433 allows remote FTP servers to execute arbitrary code via a large PWD response.

CVE-2014-8154
Published: 2015-01-27
The Gst.MapInfo function in Vala 0.26.0 and 0.26.1 uses an incorrect buffer length declaration for the Gstreamer bindings, which allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via unspecified vectors, which trigger a heap-based buffer overf...

CVE-2014-9197
Published: 2015-01-27
The Schneider Electric ETG3000 FactoryCast HMI Gateway with firmware before 1.60 IR 04 stores rde.jar under the web root with insufficient access control, which allows remote attackers to obtain sensitive setup and configuration information via a direct request.

CVE-2014-9198
Published: 2015-01-27
The FTP server on the Schneider Electric ETG3000 FactoryCast HMI Gateway with firmware through 1.60 IR 04 has hardcoded credentials, which makes it easier for remote attackers to obtain access via an FTP session.

CVE-2014-9646
Published: 2015-01-27
Unquoted Windows search path vulnerability in the GoogleChromeDistribution::DoPostUninstallOperations function in installer/util/google_chrome_distribution.cc in the uninstall-survey feature in Google Chrome before 40.0.2214.91 allows local users to gain privileges via a Trojan horse program in the ...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.