In times of major political events such as the recent US Midterms and the Brazilian presidential election, social media platforms often find themselves in the spotlight because of their lack of efficiency in tackling misinformation. However, while the debate usually focuses on the platforms’ mechanisms and processes to fight fake news, what they offer their users, including politicians, to secure their accounts and prevent any misinformation campaigns is rarely discussed.
Researchers from Cerby, an US security company, analyzed the levels of security controls offered by five prominent social media platforms, Meta’s Facebook and Instagram, Reddit, TikTok and Twitter, and published their findings in a post on November 10, 2022.
Facebook was ranked the most secure of the five platforms, with an overall score of 3.34 out of 5, according to the Cerby research. Twitter came second with 2.75 and Instagram third with 2.68. TikTok received 2.00 and Reddit was judged the worst secure platform with the lowest score of 1.95.
"The fact that Facebook is in the lead regarding security controls certainly comes from them being often in the spotlight. It shows that, unfortunately, it takes privacy/security incidents for most larger organizations to make significant changes to their offering,” Matt Chiodi, chief trust officer at Cerby, told Infosecurity.
Unmanageable applications
To come up with these ratings, Cerby identified five categories (two-factor authentication, enterprise-grade authentication and authorization, role-based access control, privacy, enterprise-ready security and account usage profiling) and gave each platform a score from 0 to 5 for each category – giving 0 when there is no current support and no publicly announced roadmap to offer it in the future; 1 when support is on the roadmap; and 2 to 5 depending on the level of support.
“Our biggest takeaway is that all five social media platforms lack the enterprise-grade authentication options, a category we put a heavy weight on, thus making them fall onto an emerging type of services that we call ‘unmanageable application,’” Chiodi stated.
Cerby identifies enterprise-grade authentication as the support of single-sign-on (SSO) security standards that allows a user to log in with a single ID to any of several related software systems and authorization standards to manage access for a team of people. They are provided by services like Okta, Auth0 or Microsoft Azure Active Directory.
To measure this, Cerby examined whether each social media platform was supporting the Security Assertion Markup Language (SAML) and OpenID Connect (OIDC) standards for SSO and the Open Authorization (OAuth) and System for Cross-domain Identity Management (SCIM) standards for access authorization.
“We found that none of these platforms had sufficient support for it and some had no support or public roadmap,” Chiodi claimed. In this category, which accounted for 25% of the final score, Cerby gave a score of 1 out of 5 to all platforms but Facebook, which received 1.67.
TikTok and Reddit bottom of the class
The other significant category was two-factor authentication (2FA), which accounted for 30% of the overall rating.
Here, Cerby analyzed whether the five platforms offered 2FA options and the level of security their 2FA methods relied on.
“All platforms supported SMS-based 2FA, but we only gave it a 5% weight because it’s the weakest form of 2FA. We gave greater importance to time-based one-time password (TOTP), a stronger method that services like Okta or Google Authenticator use, and to password-less methods using the FIDO 2 standard, that only Facebook and Twitter support,” Chiodi described.
In this category, Facebook received a 5, Twitter a 4.67 and Instagram and Reddit were both given a 3.33. Only TikTok failed to reach an average score of 1.67.
“TikTok scored lowest on almost all categories,” Chiodi notes.
The lowest overall score, however, was given to Reddit, which suffered from a 0 score in the access-control category, which measures the granularity each platform allows to manage third-party access to a user’s applications and accounted for 10% of the overall rating.
The social forum firm challenged the research and said Reddit is “a secure platform with strict policies and enforcement against disinformation.” A Reddit spokesperson also told Infosecurity that “this research attempts to analyze security controls, not disinformation, and doesn't take into account that Reddit is based on the concept of pseudonymity, and users on Reddit follow interest-based communities rather than specific individuals.”
According to Chiodi, however, such security shortcomings have a tangible impact on the risk of disinformation. “In 2020, prominent Twitter accounts were hacked, including President Barack Obama’s, Kanye West’s, Michael Bloomberg’s and Warren Buffet’s. These accounts, with a collective audience of 250 million people, suddenly urged their followers to buy Bitcoin. And it turned out the criminals were teenagers! What if, instead, they were nation-states actors trying to propagate disinformation?” Chiodi asks.
“This lack of security controls on such globally used services is not uncommon: we found earlier this year that 61% of the top 10,00 cloud applications lack support for the enterprise-grade options we analyzed, for instance. But it’s a travesty for political leaders and businesses across the globe that rely on them to talk to consumers. It leaves them susceptible to credential reuse attacks,” he adds.
Based on the findings, researchers at Cerby recommend that politicians and companies focus their efforts on mature platforms scoring at least 2.6 or higher.
Meta, Twitter and TikTok were contacted by Infosecurity but did not respond to requests for comment.