Subscribe to this site’s feedMany companies that do not object to their employees using company resources for personal uses such as web surfing restrict access to sites that are potentially illegal to protect their company from civil or potentially even criminal penalties. But now corporate IT teams around the globe have to deal decide whether Facebook and other social networking sites are such a great security risk that access to them has to be restricted to protect the corparation's assets.
Social networking sites try to enhance user's web experience by utilizing basic web techniques in ways that encourage collaboration and interaction. These sites began as single-service sites such as blog-only sites like Blogspot.com, photo-only sites such as Flickr.com and bookmark-only sites such as Del.icio.us. But they have evolved in into rich sites such as Facebook.com that provide a vast array of functionality, interaction, sharing, communicatiion, etc... Facebook.com has been especially successful, at least in part, due to its model of focusing on application support functionality and not end-user features. Independent developers (i.e.: not Facebook.com employees) are then incentized to write and deploy successful applications on Facebook.com. By providing the foundation and scaffolding for the site and not getting bogged down in specific user features or business models for each feature, the site quickly became one of the most popular and richest social networking sites on the web, leaving much better established competition such as Myspace.com behind.
Facebook.com, has recently had a number of high-profile security breaches including the photo breach of March 2008, the Facebook.com code leak of August, 2007, a set of problems including allowing running of arbitrary code, again in August, 2007, as well as a host of others (see The Register's pages on Facebook.com's security). As early as 2005, the Samy worm utilized a cross-site scripting vulnerability on Myspace.com that was so successful that within hours it caused Myspace.com to grind to a halt. Facebook.com, recognizing the potential threat to its customer base (and its revenue), has frantically been implementing, and in some cases practically advertising its ever-improving security functionality (see Facebook press releases from November 2007, March 2008 and July 2008). The pressure for privacy and security was so intense that the November 2007 press release is essentially an apology to its readers containing statements such as "We've made a lot of mistakes building this feature, but we've made even more with how we've handled them."
Yet, despite all the best efforts of Facebook.com, in the beginning of September, researchers created a proof-of-concept Facebook application that was actually a Trojan called Facebot. If this had been a real attack, any user that would run the application would silently have their computer taken over and made part of a botnet.
While Facebook.com and other social networking sites appear to be doing their best to provide security, they are clearly failing. The problem seems to lie in the very nature of the business model of these sites: they are designed to allow user interaction, communication, cooperation, etc... while still providing security and privacy. Combining free interaction and communication with security and privacy is a large task for any development team to manage. Sites like Facebook have an even bigger problem to deal with in that they allow third-party developers to extend the Facebook site with applications.
Of all the social networking sites, Facebook.com might have the largest API and hence the biggest risk. My my count, the basic Facebook API is based on REST and has 72 methods in it (6 of them still in beta as of 9/9/2008). On top of this, there are several other APIs including the Canvas/IFrame API, Data Store API, HTML and XHTML extensions FBML and XFBML), and FQL, a SQL-like language. Maintaining security in such a large and rapidly growing API is practically impossible. A single design mistake or a single implementation error can obviate all security efforts. As if all of this is not complictated enough, Facebook supports 17 libraries for different programming languages and platforms.
While Facebook is very popular and, due to its large footprint with 17 libraries, other social networking sites are having their own security problems. One of the more sophisticated attacks occurred in in the beginning of September. The attack utilized two social networking sites in combination, Twitter.com and Orkut.com to spread the OrkuTron trojan.
Besides the risk to a company's computing resources, network, proprietary data, customer information, etc... there are many legal questions that have yet to be answered. For example, being that social networking sites are hot spots for impersonation or identity theft, what are the legal ramifications for Company X if Company X's CEO has one of their social networking accounts hijacked and used to post comments that manipulate Company X's stock price?
In my opinion, social networks are adding new features and functionality before they even understand the security requirements of existing features. I think that serious consideration has to be given to prohibiting access to them from within a company's network. Perhaps, if enough companies block access to these sites, social networking sites will understand that they have to change their priorities, reduce their pace of innovation, provide the option of "safe" subsets to users' who want it, or some other solution to their ever-increasing security problems. Until a firm stance is taken demanding more security, the world's corporations will continue to fund people such as Mark Zuckerberg, Facebook's 23 year-old founder and billionaire.