This morning I learned that someone had hacked into my Facebook account. How secure is the Facebook site and what are the risks associated with placing personal information and exposing your privacy in a social networking web site such as Facebook? I will address the question in a series of posts. But first things first.
Facebook has a very basic security hole which potentially compromises each and every user, placing their private data at risk. Even worse the same security hole can be exploited to target your friends.
This morning a number of friends alerted me that they had been contacted by "me" (the impostor) through a chat session within FaceBook. The impostor approached my friends asking for "help". The scammer wrote (this is pulled from a chat session): "I am stranded in London...I was mugged at a gun point in kentish town...My cash,credit card and my cell phone was taken...all I have right now is my passport...my flight leaves in 3hours and i need some money to sort out the hotel bills...I need you to loan me some money." The scammer then tried to get my friends to wire transfer money to him. As far as I know no one fell for the trick.
How could someone have hijacked my account? I don't share my password with anyone nor do I write it down. I am not a security expert but I believe there are two main possibilities. The scammer a) sniffed the password or b) broke into the Facebook application. I believe that the most likely scenario is that someone sniffed my password. But some of the tracks laid down by the scammer indicate that there might have been a different exploit from within the application.
One of the surprising things that I learned pretty quickly (as an IT professional I should know this and should have checked it beforehand) is that the Facebook login session is unencrypted, which means that any five year old can hack into a Facebook account by sniffing passwords on the network. Encrypting login sessions is such a basic security measure that it's scandalous that the default login page for Facebook does not use SSL (Secure Sockets Layer).
Facebook valuation is in the billions and they have not bothered to implement the simplest security measure on their web site? Shame. No. It's negligence.
I will post a workaround that an end-user can implement to the unencrypted login session problem. Oh by the way I reported the hack to Facebook. I doubt I will ever hear from them. I wish they would because I have information that might allow them track down the scammer and, more importantly, make a determination on how the account was cracked.