Hire An 'Ethical' Hacker?

Years ago, when writing for a magazine focused on software developers, reporters would joke about how companies should hire an ethical hacker to find vulnerabilities, or entry points in application, through code. Software and Web developers are typically too close to the code they wrote to find hacker vulnerabilities, although they do well at finding and fixing flaws.

Vulnerability flaws can wreak havoc on a company's infrastructure. While laughing about it in the mid 2000s, now more than ever I think hiring an ethical hacker to identify holes in the platform seems like a pretty good idea because of the sophisticated search, social and ad-serving platforms available today.

Google and Facebook have backpedaled many times for privacy breaches. Perhaps platforms would get released without these holes if companies spent more time researching their platform with help from others who are not as close to the code.

While these flaws are sometimes intentional, those who wrote the platforms might not see the complete picture. Take, for example, the Facebook patent application describing the ability for the social site to receive data from logged-out users to target ads. SEO by the Sea Founder Bill Slawski brings this patent to our attention. It turns out that logging out of Facebook is not enough to stop the company from collecting data on those who maintain a profile on the site.

The first Facebook patent claim explains a method for tracking information about the activities of users of a social networking system while on another domain. It requires the user to maintain a profile and connect with one or more others in the social network. The patent also plainly explains logging the actions taken on the third-party Web site in the social networking system, each logged action including information about the action.

Aside from pointing to the patent, Slawski also links to a post from Australian tech developer Nik Cubrilovic, self-proclaimed entrepreneur, hacker and writer. He wrote a piece on how logging out of Facebook is not enough. It describes how cookies from Facebook are sent to Facebook each time someone visits a page containing a Facebook widget of some type, even after that person logs out of Facebook.

A Facebook engineer wrote the first comment to the post, suggesting that Facebook has no interest in tracking people. Of course not -- but read the patent anyway.

NowSourcing Founder Brian Wallace said "you could say that the first stop on that path to finding the weakest link is often user passwords."

Facebook is not the only social site with holes. Twitter had its share this year, too. Wallace provided an infographic on some of the hacks. The hacker group The Script Kiddies hacked into the USA Today Twitter page, posting false statements Sunday evening. USA Today removed the messages and posted a statement about the hack.

The Script Kiddies are also responsible for hacking into NBC News' Twitter account during the Sept. 11 weekend, posting messages about a fresh attack on New York's ground zero. The group also hacked the Fox News Twitter account in July, and falsely reported President Barack Obama had been killed, according to reports.

Twitter Infographic

Infographic by Veracode Application Security

Recommend (2) Print RSS