Facebook changes raise serious security concerns

Facebook’s planned changes, while increasing interaction between users, could also flood the site with Twitter-style spambots and increase targeted attacks, according to Bitdefender.

The last few weeks have been hot for Facebook users. After updating Privacy Controls and silently pushing the Smart Lists, the f8 pushed usability and privacy to a new level: Subscribers, News Ticker and Wall facelift, and the star of this f8 conference, the Timeline and the new Open Graph features.

Alexandru Catalin Cosoi, Head of Online Threats Lab at BitDefender, comments for Help Net Security: “Although these changes are probably welcomed by the community, they do raise a set of questions whether they won’t also provide a set of advantages to spammers and malware writers. Based on our experience with Facebook and Twitter threats, we do expect new types of menaces which will spread using these new features, as we’ve seen what the creative minds of fraudsters are capable of.”

While these new features will increase interaction between users, privacy and security issues were pushed to new limits. Here are the five main concerns.

1. Smart Lists will push users to share more info publicly, supplying the perfect weapon for targeted attacks.

Smart List encourages people to complete their profile with job, education and work projects. Every time somebody creates a list with colleagues from a specific job, they tag this in their profile. Of course, this is generally not confidential information, and the users have the final decision in approving the info.

But having this information public and indexable will make it easier to create high-level targeted attacks. Knowledgeable attackers can find out exactly who is working in a specific company, their job and, more importantly, what project they are working on. And we are talking about 800 million users.

2. Subscribers could increase the number of spambots, just like on Twitter.

The main difference between Facebook and Twitter attacks is that Facebook has many hijacked accounts while Twitter is inundated with spambots. With the new subscriber feature, Facebook is open to spambots and “how to get more subscribers” schemes. Copying Twitter features may also mean importing Twitter scams.

3. Everything you’ve ever shared on Facebook is now available and easy to browse.

The Timeline is a revolution of usability. But it’s also the open story of our life. If a user doesn’t change the default settings to restrict who can see the wall, this story will be available to anyone: friends, photos, places you’ve checked in, relations and much more. It was available until now, but not so easy to use.

4. Health is now social and public.

The Facebook timeline considers health information social. Now it’s easy to share health-related information such as breaking a bone, undergoing surgery or overcoming an Illness. Probably most disturbing point here is that this information is set to “Public” by default.

5. Widgets: the open door to interactive scams.

Facebook introduces the “widget” concept to the new timeline. It lets developers take action on various objects. This moves the interaction to a whole new level. Until now, everyone who had an application installed interacted with his friends inside the app. Now, the app is on the user wall, so anyone who interacts with the user profile interacts with the app.

Considering the short lifetime of spammy apps, this could boost their efficiency. Of course, this feature is just starting, so it will likely take a while until the scammers exploit it. But every successful viral feature has eventually been exploited by social media scammers.

With more and more information in the profile, the account hijacking problem has become increasingly important. Facebook is doing a lot in eliminating noise, but has taken no important step in security. After the large number of problems related to Facebook security, many expected an announcement regarding session hijacking on unsecured connection, a notable security issue for many Facebook users.

Don't miss