The report of a vulnerability in Facebook applications is just the latest sign that threats to the average web user’s security are moving off into the clouds.
The proof-of-concept javascript exploit (reported at The Register) takes advantage of a failure by Facebook’s systems to sanitise code.
What is significant about this new breed of vulnerability is that it makes no difference how good your firewall is, how up to date your patching, how many anti-virus packages you’re running or even what operating system you’re using (so OS X and Linux users can take that smug smile off their faces). In the much-hyped world of Web 2.0 and cloud computing, the applications that contain the flaws come nowhere near your own machine.
That’s bad enough. It means you have no means of fixing the vulnerability other than waiting for the system’s owner to admit there’s a problem (which, so far, Facebook has refused to do) and get around to sorting it. You have no control over your own level of risk and exposure other than to stop using the system.
In that sense, it’s not much different to using proprietary, closed-source software. But there is a difference. Even if you do stop using the system, it probably won’t be enough. And that’s because the real danger lies in the exposure or misuse of your private information. The dangers posed by the Facebook flaw, for example, range from letting everyone see your private photos through to ID theft. And this is because it’s not just the application that lives in the clouds: your personal information is there too. And unlike the sensitive data residing on your hard disk, you can’t personally take any steps to protect it. It’s out of your hands.
As social networking becomes a social norm, people are putting more and more of their lives on to the servers of Facebook, MySpace and who knows how many other Web 2.0 sites. Their documents, address books and spreadsheets now exist in Google’s cloud. Leaving these sites - shutting down an account and having all your personal information wiped from the servers - is notoriously difficult, with no guarantee that it has been competently accomplished. So even if you learn of a vulnerability, the options open to you to mitigate any potential damage are … well, essentially none.
So, in the Web 2.0 world, we are no longer capable of managing our personal security. Perhaps it’s time for the service providers to accept more stringent requirements and greater legal responsibility. Given they they have such total control over our security, it’s time for them to accept the risk.
no comment untill now