Indeed, this nontechnical exploit can be called a benign example of what is at risk if better controls aren't put in place. Control Your Info hijacked almost 300 groups by simply taking over unadministered groups. Dave Amsler, the cofounder and CIO of Foreground Security, said the illegitimate administrators have access to profile information, e-mail addresses and other data that members have provided. He pointed out that credit-card numbers aren't involved.

Hijacker Message

Control Your Info posted this message at those groups:

"Hello, we hereby announce that we have officially hijacked your Facebook group.

"This means we control a certain part of the information about you on Facebook. If we wanted we could make you appear in a bad way which could damage your image severly [sic]."

The group didn't respond to a request for an interview sent to the e-mail address at its web site.

Facebook's press-relations department e-mailed a statement which read in part that "there has been no hacking and there is no confidential information at risk. The groups in question have been abandoned by their previous owners, which means any group member has the option to make themselves an administrator in order to continue communication to the group. Group administrators have no access to private user information and group members can leave a group at any time."

Bigger Problems

The situation is evidence of significant vulnerabilities in Facebook, Amsler said. "The social-networking sites -- Facebook being the most important -- have major security issues," he added. "No one is bothering to secure anything."

He said the company seemed unconcerned when contacted. "We've reported major findings to them and their response is, 'Yeah, we know about it. There is not a whole lot we can do about it.'"

Amsler added that he agrees with the stated aims of Control Your Info -- to call attention to what critics say is an insecure Facebook environment -- but thinks the group acted unethically in hijacking groups. Still, he believes that Facebook probably will make the relatively easy, nontechnical changes necessary to prevent the hijackings.

Facebook defended its practices. "Security is a top priority for Facebook, and we devote significant resources to helping our users protect their accounts and information," according to a spokesperson. "Any assertion to the contrary is false. We think this focus on security is a major reason Facebook was recently named one of the top 10 most trusted companies in an independent survey conducted by TRUSTe and the Ponemon Institute." (continued...)

1  |  2  |  Next Page >