Correction: As I looked further into the code for the Facebook login page it appears that the post method does in fact route to https. I was incorrect. Nonetheless, I would still like FB to investigate how my account was compromised. I need to be convinced that there are not other vulnerabilities in how the application handles authentication (e.g. iphone client).
Trust is the currency of social networking sites: we expect that our private data will be protected and that at the very least site owners will observe basic security practices. In the case of a large and rich company such as Facebook we expect more. So how can a company with a multi-Billion dollar valuation get away with shoddy security practices and, on top of that, violate it's own privacy policies?
Let's take a look at Facebook's published privacy policy under the security section (http://facebook.com/policy.php). The company asserts that "sensitive information" such as "passwords" are encrypted.
Facebook does not encrypt passwords during login as it claims. How do we know? Compare two web sites (gmail,typepad) that do encrypt passwords during login:
|
|
|
|
Notice the tell tale sign of an encrypted login session: a) the URL says https:// and b) the bottom right hand of the browser shows a padlock.
Now compare that with the facebook login page. No https:// and no padlock. It appears, therefore, that the default login page for facebook does not encrypt passwords, which is a violation of its privacy policy.
|
Note: Some sites take you by redirection to an https:// page. I don't see that occurring with Facebook. FB does have an https:// page but you can get there only by knowing the URL, which is http://login.facebook.com. If you type in the login.facebook.com you will be redirected to https://login.facebook.com. You will also end up at the https:// page if you type in an incorrect password at the default login page.
I am mystified why Facebook continues to transmit passwords in clear text (i.e. unencrypted) when the fix is so easy. I am not a security expert and if there are any inaccuracies in my posting, I will correct them if someone can point them out to me.
Recent Comments