Posted by: Robert Westervelt
social networking flaws
Could flaws in social networks send the Internet spiraling out of control?
A flaw discovered in URL shortener Cligs (Cli.gs) last weekend demonstrates the fragility of the social networking ecosystem and how potentially dangerous it could be.
Cligs competes against TinyURL and Bit.ly, which dominate link shortening on Twitter. It is recognized as the 4th most used link shortener on Twitter. On Monday, Cligs acknowledged the flaw, calling it a security hole in Cligs’ editing functionality.
The attack edited most URLs on Cligs to point to a single URL hosted on freedomblogging.com. I’ve identified the hole and disabled all cligs editing for now and I’m restoring the URLs back to their original destination states.
Lucky for Cligs that whoever discovered the gaping hole only forwarded to a story on freedomblogging.com and not a porn website or attack webpage. According to the blog post 2.2 million URLs were affected.
Phishing attempts (Twishing), Tweetspam and even Twitter worms are being tracked by the major security vendors. Sammy Chu of Symantec Security Response today said the vendor has detected fake Twitter invitations that carry a mass-mailing and malicious worm. The messages appear as if they have been sent from a Twitter account.
This is all very close to spiraling out of control. Attackers are latching on to Twitter, MySpace, Facebook and others and using them to spread malware and harvest data. In a recent interview I had with security expert Lenny Zeltser, he said these short bursts of information – 180 characters on Twitter – alone doesn’t raise any eyebrows. But together with hundreds and in some cases thousands of other posts, the data could be used in a social engineering attack and could in fact harm businesses.
What can be done? To avoid being duped by malicious URL shortening links, Graham Cluley a security consultant with UK-based security vendor Sophos, who was the first to blog about the Clig hack, urges people to run a plug-in that will expand shortened URLs before they are clicked.
But we can’t rely on the public to take action. And they shouldn’t have to. It probably would be difficult for any group or association to take the lead on ensuring the security of social networks, but these organizations may benefit by joining forces in some sort of social network cabal to hash out standards around security and privacy issues.
The good news is that security researchers seem to be on top of the threats and the alarm is being sounded. But why is it taking a group of concerned security researchers and experts to get Google to better secure its Web applications? Who inside the search engine giant or any of these websites are weighing the risks and deciding to let the dice roll on security?
Unfortunately it may take catastrophic event to get any of the social media giants to take action. They owe it to their millions of users to take action and it may be the most prudent approach to ensuring their longevity on the Web.
Now go and listen to this interview with Lenny Zeltser on social networking woes: