RSS Alerts

Share

More services

Related Links

Related Stories

Top 5 Stories

News

Facebook hits back at hacked Groups claims

11 November 2009

Facebook hit back at a grassroots digital privacy group this week, after it criticized the social media giant's handling of its Groups functionality. Control Your Info, a group hoping to highlight information privacy flaws in social media applications, revealed that it is possible for anyone to take over ownership of a Facebook group that has no administrators.

Control Your Info, a group of four developers and designers, bought the capability to light in a posting on its website. A simple Google search throws up Facebook groups which have no administrators, it said.

"When you're the admin of the group, you can basically do anything you want with it. You can change its name, and the group's members won't even get a notification of it", the privacy collective advised. "You can send mails to all members and edit info."

Erik Hiort, one of Control Your Info's founders, argued that administrator roles shouldn't be up for grabs without restrictions. "There are several possibilities to solve this", he said. "Maybe only users who've been in the group for a predefined period should have the possibility to apply for the admin role?"

Facebook, which allegedly shut down Control Your Info's fan page, hit back at reports that groups on the service had been hacked.

"There has been no hacking and there is no confidential information at risk. The groups in question have been abandoned by their previous owners, which means any group member has the option to make themselves an administrator in order to continue communication to the group", Facebook said in a statement.

"Group administrators have no access to private user information and group members can leave a group at any time. For small groups, administrators can simply edit a group name or info, moderate discussion, and message group members. The names of large groups cannot be changed nor can anyone message all members. In the rare instances when we find that a group has been changed inappropriately, we will disable the group, which is the action we plan for these groups."

However, Jeremiah Grossman, chief technology officer and founder of WhiteHat Security, disagreed with Facebook. "It is a vulnerability, unless of course it's expected behavior for someone to take over someone else's group", said Grossman, who gave a presentation on application logic flaws at the Black Hat conference in 2008.

Although he said that the management of Facebook group administrator roles is likely to be more of an annoyance than a real security risk, he did acknowledge that it might be possible for someone to gain ownership of the group and then exploit the trust of unobservant group members by sending them malicious messages or application requests.

This article is featured in:
Application Security • Internet and Network Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Terms & Conditions |Privacy |Website Design|Reed Exhibitions. All rights reserved. Copyright © 2012