Crowd Comfort For Security Flaws in Facebook, Twitter, Google
A couple of years ago, some buddies and I were putting together a movie for a friend who was going through a rough time. We’d taken a bunch of goofy footage and I was editing it on Adobe Premiere. “Wouldn’t it be cool,” someone joked, “if we could make it look like a proper movie? With opening credits and a DUN-dada-DUN soundtrack?” “Totally,” I said. “I don’t know how to make those credits, but we can probably find the original clip online and overlay our text directly on top. It’ll look awesomely amateur.”
As it turned out, I had completely underestimated the awesomeness of the Interwebs. Within about two minutes, I had found a YouTube video with step-by-step instructions for creating your own, professional-looking, beautifully rendered version of the 20th Century Fox movie introduction, with whatever text you want in lieu of the official logo. Ten minutes after that, I had downloaded Blender, modified the file to my liking, and set it to render; eight hours after that, I had my custom movie intro.
Fast-forward to yesterday, when my website went down thanks to a PHP upgrade from my hosting provider, leaving me with a nice looking header and this error message: “Function ereg() is deprecated in /includes/file.inc on line 647.” Back to Google I went, finding a solution within about ten minutes to get the site back up and running.
This is the glory of having access to the crowd: while it’s unlikely that one of your 150 closest friends will have created a custom movie logo generator, someone, somewhere, has. And you don’t need to bother your techie friend again with the PHP upgrade question, because someone, somewhere, has already answered it. It always takes less effort to do things you love and are good at; in the crowd, many hands make light work because someone, somewhere, loves and is good at the very thing you need help with.
Some of those someones love and are good at, for example, finding security holes in software. A couple of weeks ago, three someones in particular -- Rui Wang, Shuo Chen, and XiaoFeng Wang -- found major flaws in eight high profile single sign-on systems, including Facebook Connect, Google ID, and PayPal Access. These flaws allowed a malicious user, “Bob,” to sign into third-party websites with the single sign-on credentials of a victim user, “Alice.”
The first bit of good news is that Rui, Shuo and XiaoFeng are not themselves malicious, and so they did what any responsible researchers would do: they reported their findings to the websites in question and gave them the opportunity to fix the logic flaws before going public with their research. As a result, their published paper states, “All the reported flaws, except those discovered very recently, have been fixed.” Their point is not that we should be worried about these particular flaws, but rather that we should be worried about the vulnerability of this type of system in general.
But there is other good news: namely, that crowd activity is also perfectly suited to removing or at least minimizing this vulnerability. Facebook and Google might employ some of the best engineers on the planet, but no single team can imagine every one of the infinite ways the evil Bob might try to take advantage of the unsuspecting Alice. Last year, Facebook formally acknowledged this, creating a Bug Bounty program with a minimum $500 reward to any good Netizen who helps them identify and patch a previously unidentified and unpatched security issue. The results were simultaneously gratifying and scary: within three weeks from the program’s launch, the social network had already paid out more than $40,000 in rewards.
The bottom line is this: if you’re putting personal and sensitive information in a semipublic forum, and if the credentials for access to that information are getting bandied about on a variety of websites, there are going to be some very smart minds thinking about how to take advantage of the situation. Won’t you sleep better knowing even more smart minds are thinking about how to protect you?