Posted by: GuyPardon
Cross-site scripting, identity theft, Phishing, Security, Social network, Twitter
While no apparent damage to privacy or senstive data has occurred through this XSS exploit, the lesson from the past 24 hours is that a social media usage policy needs to be drafted, promulgated and enforced ASAP.
Although Ben Parr wrote on the social media blog Mashable that Twitter exploit had been fixed, echoing Twitter staff comments, Naylor followed up today with evidence that the Twitter exploit still works – just visit @APIfail2 for a (harmless) example. You’ll need to view the account using a Web browser, given that 3rd party clients are not affected by the issue.
TechCrunch has picked up the lack of resolution to the Twitter security issue. Robin Wauters, the author of the post, has sought further comment from the startup. Although the security team at the online social messaging startup is no doubt working overtime to address the issue in a more substantive way, this episode only adds fresh concerns about the Twitter security risks I reported on in June. Twitter may need to hire a CISO soon.
Such online security concerns, however, aren’t hardly limited to Twitter. If anything, Facebook is an even bigger target, both because of its size and the likelihood of more personal information in profiles. That reality hasn’t gone unnoticed by hackers, as rogue Facebook phishing applications popped up last week.
What does this all means for the compliance and security community? It’s time to get serious about addressing the risk by drafting a social media policy that uses available DLP technology, sets expectations for online privacy and, perhaps most importantly, includes user education about Web app security, social engineering and phishing. As I reported earlier this month in a story exploring social media and compliance, “fewer than one-third respondents in a recent survey said their organization had a policy in place governing social media use” – and “only 10% of the companies surveyed indicated that they had conducted employee training on such use.”
According to a another survey, from security firm AVG, only 27% social networking users are taking steps too protect themselves against similar online threats. According to “Bringing Social Security to the Online Community,” conducted with the CMO Council, 20% of social networking users have been the victim of . 55% experienced a phishing attack. And 47% said that they’ve had to deal with malware. Stark numbers.
In other words, if social media security wasn’t on your task list already, it should be now.