Researchers Claim Flaws In Facebook; Facebook Calls Them 'Best Practices'
Short passwords, non-SSL-encrypted forms are criticized by Cenzic
Researchers at security vendor Cenzic's labs say they have discovered vulnerabilities in Facebook's logins and passwords, but the social networking site says the issues are not security flaws.
"We disclosed our findings to Facebook in hopes that they would want to fix the problems," says Mandeep Khera, head of marketing at Cenzic. "In several cases, they rejected the idea that these are vulnerabilities -- they called them 'best practices' that make [the site] easier to use."
Among the "flaws" that Cenzic found were applications that can link to Facebook using a six-character password that is not case-sensitive, Khera says. "A six-character password could be broken in a matter of minutes," he says. "But Facebook calls this a best practice because it makes it easier for the user."
Similarly, Cenzic found that some data on Facebook is sent in the clear, Khera says. "You use SSL to get into the forms, but when you fill out the form and send it back, that data does not go over SSL," he says. Facebook rejected this "vulnerability" also, according to Khera.
Cenzic found other issues related to authentication and handling of passwords on Facebook, but the social networking site does not plan to do anything about them, Khera says.
To help social networking sites identify this type of flaw, Cenzic’s new LikeSec program is offering all social networking sites and their application developers a free "HealthCheck," which includes a vulnerability assessment using Cenzic’s Cloud offering.
Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.
Read more about:
2011About the Author(s)
You May Also Like
Beyond Spam Filters and Firewalls: Preventing Business Email Compromises in the Modern Enterprise
April 30, 2024Key Findings from the State of AppSec Report 2024
May 7, 2024Is AI Identifying Threats to Your Network?
May 14, 2024Where and Why Threat Intelligence Makes Sense for Your Enterprise Security Strategy
May 15, 2024Safeguarding Political Campaigns: Defending Against Mass Phishing Attacks
May 16, 2024
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024