In August, a Palestinian that allowed someone to post on any other user's Facebook user, known as Khalil, found a flaw Facebook wall, even without being one of that user's 'friends'.
Khalil notified the Facebook security team, but they refused to correct the flaw and told him it was not a bug.To drive home his point, Khalil then utilized the very same flaw to post this on Mark Zuckerberg 's timeline:
'[A] couple of days ago I discovered a serious Facebook exploit that allows users to post to other Facebook users timeline while they are not in friend list.'
There was no sensitive data breached, so this is not a serious issue, right? Wrong.
This is a perfect illustration of a business that is not approaching information security and privacy strategically. This is in spite of a previous privacy reprimand by the .
Facebook has over a billion users who are posting sensitive information and are being encouraged to share more. One of the main features from a privacy perspective is that only a user or their friends can to post to that user's Facebook wall.
Khalil's findingallowed him to post messages and photographs to *any* of Facebook's 1.11 billion users' walls - something which in the wrong hands could be a very effective way of spreading malware, scams or malicious links.
There are couple of problems here -
Why did the problem exist? Is there a weak process for detection of security vulnerabilities? Doesn't Facebook have a process for penetration testing that validates business logic?
Any good penetration tester will check the business logic as well as perform checks for security vulnerabilities, such as injection flaws (it seems like this was a 'loadtextinjection' flaw). They should check use cases and 'abuse' cases. Regardless of the type of flaw, the fact that it existed and Facebook was not aware of it indicates they are not taking adequate steps to ensure security and privacy of their application through a secure and mature development process.
Security penetration testers test the rules for the business function being provided by the application, such as, 'What, if any, restrictions are there on people's behavior?' Then, they consider whether the application enforces those rules. It's generally pretty easy to identify the test and analysis cases for both security and quality control of the application.
This bug relates to basic functionality and is critical from a privacy perspective.
The response from the security team - they didn't realize that this was a violation of privacy in their application.
The two points above, the existence of the flaw and the security team's response, are related and indicate a lack of a mature, security-aware development process.This indicates a security program that is not strategic and not aligned with the business, which is an online social networking site containing sensitive personal information of a billion-plus global users.
It is commendable of Facebook to be able to design the plane in flight, no doubt an envious place to be, but you cannot stay in flight if the plane is not built securely.
Khalil, if you were planning to post something on my Facebook wall, you'll find that I've deactivated my account!
Tidak ada komentar :
Posting Komentar