Security experts are calling for
tighter controls on social networking sites following the discovery of a
security flaw that has left the account information of millions of
users vulnerable to harvest.
Packet Storm, the security firm that
reported the vulnerability and worked with Facebook to address the data
disclosure flaw, said that legislators must craft stricter laws on how
social networking firms can manage data and how users can manage their
information.
The company said: “There comes a time
when a line in the sand must be drawn. We need clearly defined
legislation that dictates when that line is crossed and what the
repercussions should be. We need to clearly document what is considered
sensitive information tied to a personal identity versus what should be
considered public domain.”
The issue, disclosed by Facebook last week,
is with the site's Download Your Information feature. The flaw
improperly stores contact information on friends, allowing users to spot
the email addresses and phone numbers of contacts who may not have
otherwise been visible.
Mike Gross, director of professional
services for security firm 41st Parameter, said that while the data may
only be available to friends, an attacker could exploit the feature to
target the friends and family of a compromised user.
“This makes phishers' jobs much
easier, as they now potentially have access to an email address, as well
as the individual's closest connections/relationships," Gross
explained.
"So rather than getting a phishing
e-mail with a link from Facebook or another site, a fraudster could make
the phishing e-mail look as though it is originating from your close
friend with a link that looks legitimate but sends the user to a site
that downloads malware to their device."
Packet Storm noted that while
Facebook has worked quickly to address this incident, the real danger
lies in the way that social networking sites are allowed to manage user
data. The company believes that government intervention may be needed to
set a standard for how sites can manage and revoke access to user data.
“Facebook reacted to the incident
in a responsible manner in order to fix the leak. What is not fixed, is
their policy,” the company said.
“They will continue to maintain
dossiers with your personal information without giving you any control
over it. They simply claim it is not your data, it is your friend's.”
No comments:
Post a Comment