Security Protection – Harry Waldron MVP Rotating Header Image

January 24th, 2013:

Facebook – New Graph Search and Privacy Considerations

Privacy safeguards are important for all Facebook users with the new Graph search facility

http://facecrooks.com/Internet-Safety-Privacy/How-Will-Graph-Search-Affect-Your-Facebook-Privacy.html

https://www.facebook.com/about/graphsearch/privacy

QUOTE: Facebook introduced “Graph Search” on Tuesday, a new search technology that allows users to search and filter through content that has already been shared by their friends. For instance, if you wanted to know the best deli on a certain block in Manhattan, you could search through your friends’ posts and tags to see if they had ever been there, reviewed it or Liked it. In short, anything you’ve shared on Facebook will become searchable by whoever you allow to see your profile. Of course, this raised a lot of questions about the security and privacy of users’ content.  Facebook released the video shown below to help explain how Graph Search would affect user privacy, and they have a full page dedicated to Graph Search and Privacy:

Twitter – Vulnerability allows application security level changes

Twitter users should be careful in using their credentials to authenticate outside of the environment and especially keep track on any installed applications

http://securitywatch.pcmag.com/none/307241-twitter-bug-changes-application-security-levels-on-twitter

http://blog.ioactive.com/2013/01/you-can-not-trust-social-media-twitter-vulnerable.html

QUOTE: Many Web applications allow users to sign in using their Twitter and Facebook accounts instead of creating yet another account. It is convenient for users and application developers can access user data stored on the social networking site. Cesar Cerrudo, a security researcher with IOActive, stumbled across a flaw in which these applications could wind up with higher levels of access than they should have. In a post on the IOActive Labs Research blog, Cerrudo described how he was testing a Web application (still under development) which allowed users to sign in with Twitter or Facebook. At the “Sign in” page, Cerrudo saw that the application would be able to view his public tweets, post on his account, see his followers, follow new people, and make changes to the profile. The page also explicitly stated the application would not have access to his Direct Messages or his password.

RECOMMENDATION: You should periodically audit the list of applications that have permission to access your Twitter and Facebook accounts to make sure there are no unexpected surprises. Check to make sure all the applications that are authorized are applications you added, and still need. Drop any that you don’t use anymore. Also, check the permission levels to make sure the settings are appropriate.