Overclock.net › Forums › Industry News › Software News › [TheReg] 'Facebook for Kids' slammed by security researchers
New Posts  All Forums:Forum Nav:

[TheReg] 'Facebook for Kids' slammed by security researchers

post #1 of 14
Thread Starter 
Quote:
Updated A new social network website claiming to be a "Facebook for Kids" is riddled with security shortcomings, security researchers at Cambridge University have warned. The site - School Together Now - said that it took security seriously and promised to review the findings of the Cambridge researchers.

School Together Now - which is aiming to sign up parents as well children as members - is due to launch at the start of next year but is already open to registration. National media coverage about the site sparked the curiosity of Cambridge postgradute researcher Joseph Bonneau about what security controls for an obviously vulnerable age group had been established.

Bonneau discovered a myriad of security problems beyond the issue of whether kids needed a social networking site. School Together Now is focused on signing up seven to 12 year-old but advertisers and other can also participate.

"Further investigation revealed a pattern of poor security choices driven by the desire for rapid commercialisation, which is inexcusable for a site specifically marketed at young children," Bonneau writes in a post to Cambridge University's well respected Light Blue Touchpaper blog.

Preventing impersonation or fraudulent sign-ups is a difficult problem for any website, and particularly important for a social network targeting kids. But School Together Now makes few efforts to establish the bona-fides of would-be members.

"School Together Now... makes no attempt to ensure that users are who they claim to be. Creating an account requires just an email address and a name. Neither of these values is checked, so a user could be anybody: a child, an adult, a child predator, a web spider, or a spambot," Bonneau notes.

The Cambridge researchers have already discovered one profile solely designed to pump out spamvertising for an online Viagra distributor.

Users of the site are not required to declare an age - of course people can lie about their age, but when they do so it gives evidence of acting in bad faith that might be useful in prosecutions.

"Currently, one can create an account giving unlimited access to the site without providing any false information or even agreeing to terms of service," the security researchers add. "The site similarly makes no effort to verify claimed affiliation with a school or a parent account."

Bonneau and his colleagues were able to link a test account to any primary school they wished. Facebook, by contrast, requires a valid email address in a school's domain to join academic sub-networks.
Wide open

Other aspects of School Together Now worry researchers. The information sharing model established by the site is "fundamentally broken".

"The default settings share all entered information, which could include email addresses and phone numbers, with all users on the site–who could be anybody. Although the website classifies users into groups like children and parents (and also "advertisers"), there are no restrictions on communication between them," Bonneau writes.

In addition, forum posting are viewable through search engines. "Information posted by users may be reviewed by moderators and deleted, but we were able to locate clearly sensitive information such as age, personal habits, school membership, and location, which had been left in forums for weeks," Bonneau notes.

School Together Now also contains a private messaging function which allows users to exchanges messages outside of any control by moderators. School Together Now lacks a clear mechanism for reporting abuse.

All these bad security design choices, and more, make the site unsafe for its target demographic, the Cambridge boffins conclude.

MySpace and Facebook limit membership to those over 13 because of the greater problems in catering to kids. Most child-centric sites are geared toward gaming, with little social interaction, though there are examples of child-centric sites who do a better job with security.

"Online social environments aimed specifically at kids typically provide even more security. Disney's Toontown Online game, for example, only allows free-form chat except between friends who have been verified out-of-band (outside the site)."
Think of the Children

School Together Now claims to provide "safe and secure environment for children" are misleading because of a lack of basic authentication and authorization that makes the site a potential hunting ground for predators, Bonneau concludes.

Professor Ross Anderson of the Cambridge University Computer Lab told El Reg that School Together Now has failed to take on board the security lessons learned by Facebook in developing its site, which fails to follow best practice and Home Office recommendations.

We relayed the concerns of the Cambridge University experts to School Together Now, which promised to review the findings of the report.

Esther Guy, School Together Now founder, a working mother of three, said: “The security of our website and the safety of our users is of paramount importance to everyone at School Together Now and we therefore welcome the Cambridge University team’s analysis of the site."

"The team’s research is particularly welcome at this time as we prepare to launch the site to the general public next year. We shall look at the report very carefully and if we feel that it identifies areas where our site’s security can by improved then we shall take swift action to do so," she added. ®
Source: http://www.theregister.co.uk/2008/12..._together_now/
    
CPUMotherboardGraphicsRAM
Intel i7-4850HQ  Yes GT 750M 16GB Corsair 
Hard DriveHard DriveOSMonitor
512GB SSD 1TB Buffalo Drivestation OSX Mavericks 15" 2880 x 1800 IPS 
MouseOther
Magic Mouse Mobee Magic Charger 
  hide details  
Reply
    
CPUMotherboardGraphicsRAM
Intel i7-4850HQ  Yes GT 750M 16GB Corsair 
Hard DriveHard DriveOSMonitor
512GB SSD 1TB Buffalo Drivestation OSX Mavericks 15" 2880 x 1800 IPS 
MouseOther
Magic Mouse Mobee Magic Charger 
  hide details  
Reply
post #2 of 14
zomg!! The internets is PUBLIC???? Since when?!?!?!

What do these idiots expect? If its important keep it offline.

Hi my name is Dave DeSanto and my social security number is 459-32-5982
My First Build
(14 items)
 
  
CPUMotherboardGraphicsRAM
Phenom II 940 Biostar 790GX A2+ Powercolor Radeon HD 7870 2x2GB Dominators Stock Clocks 
Hard DriveOSMonitorPower
SAMSUNG 840 SSD 128GB Windows 7 (64 bit) HP w2207 Corsair 750W 
CaseMouseAudio
Antec 300 Logitech G5 On Board 
  hide details  
Reply
My First Build
(14 items)
 
  
CPUMotherboardGraphicsRAM
Phenom II 940 Biostar 790GX A2+ Powercolor Radeon HD 7870 2x2GB Dominators Stock Clocks 
Hard DriveOSMonitorPower
SAMSUNG 840 SSD 128GB Windows 7 (64 bit) HP w2207 Corsair 750W 
CaseMouseAudio
Antec 300 Logitech G5 On Board 
  hide details  
Reply
post #3 of 14
Paedophiles much?
Lenovo t500
(13 items)
 
  
CPUMotherboardGraphicsRAM
P8400 Lenovo 2081CTO ATi 3650 / Intel 4500HD 4048 MB 
Hard DriveOptical DriveOSMonitor
160 GB 7200 RPM DVD-ROM/CD-RW Windows 7 Professional x86_64 15.4" wxga LED 
KeyboardPowerCaseMouse
Integrated Integrated Matte Black w/ roll cage Microsoft Basic Optical 
Mouse Pad
None 
  hide details  
Reply
Lenovo t500
(13 items)
 
  
CPUMotherboardGraphicsRAM
P8400 Lenovo 2081CTO ATi 3650 / Intel 4500HD 4048 MB 
Hard DriveOptical DriveOSMonitor
160 GB 7200 RPM DVD-ROM/CD-RW Windows 7 Professional x86_64 15.4" wxga LED 
KeyboardPowerCaseMouse
Integrated Integrated Matte Black w/ roll cage Microsoft Basic Optical 
Mouse Pad
None 
  hide details  
Reply
post #4 of 14
The world needs to wake up and realize pedophiles, were around before the internet.

If kids get molested, kids get molested. The rules of common sense still apply. We shouldn't be spying on kids because they MAY get molested.
My First Build
(14 items)
 
  
CPUMotherboardGraphicsRAM
Phenom II 940 Biostar 790GX A2+ Powercolor Radeon HD 7870 2x2GB Dominators Stock Clocks 
Hard DriveOSMonitorPower
SAMSUNG 840 SSD 128GB Windows 7 (64 bit) HP w2207 Corsair 750W 
CaseMouseAudio
Antec 300 Logitech G5 On Board 
  hide details  
Reply
My First Build
(14 items)
 
  
CPUMotherboardGraphicsRAM
Phenom II 940 Biostar 790GX A2+ Powercolor Radeon HD 7870 2x2GB Dominators Stock Clocks 
Hard DriveOSMonitorPower
SAMSUNG 840 SSD 128GB Windows 7 (64 bit) HP w2207 Corsair 750W 
CaseMouseAudio
Antec 300 Logitech G5 On Board 
  hide details  
Reply
post #5 of 14
Quote:
Originally Posted by WhiteCrane View Post
The world needs to wake up and realize pedophiles, were around before the internet.

If kids get molested, kids get molested. The rules of common sense still apply. We shouldn't be spying on kids because they MAY get molested.

Although your post is horrible, I agree with it.
Calypso
(13 items)
 
  
CPUMotherboardGraphicsRAM
Intel Q6600 @ 3.6 Ghz Gigabyte EP45-UD3P XFX 9600 GT 6 Gigabytes Mixed Ballstix,Tracers 1:1 400MHZ 
Hard DriveOSMonitorKeyboard
2x Seagate 320, 1x 400 WD in Raid 0 Windows Vista Ultimate x86 ASUS MK241h 24" Microsoft Multimeda 
PowerCaseMouseMouse Pad
Rosewill 600W Xclio Windtunnel Microsoft Multimedia OSCS 
  hide details  
Reply
Calypso
(13 items)
 
  
CPUMotherboardGraphicsRAM
Intel Q6600 @ 3.6 Ghz Gigabyte EP45-UD3P XFX 9600 GT 6 Gigabytes Mixed Ballstix,Tracers 1:1 400MHZ 
Hard DriveOSMonitorKeyboard
2x Seagate 320, 1x 400 WD in Raid 0 Windows Vista Ultimate x86 ASUS MK241h 24" Microsoft Multimeda 
PowerCaseMouseMouse Pad
Rosewill 600W Xclio Windtunnel Microsoft Multimedia OSCS 
  hide details  
Reply
post #6 of 14
I think the real threat here is the chance of a child-predator-spambot.
Believe i7
(13 items)
 
  
CPUMotherboardGraphicsRAM
Intel Core i7 920 @ 3.8GHz Asus Rampage II Extreme EVGA GeForce GTX 280 SSC Corsair Dominator 3x2GB DDR3 1600 
Hard DriveOptical DriveOSMonitor
Western Digital VelociRaptor 150GB idk generic disk drive Windows Vista Home Premium x64 SP1 Acer AL2216W 22" 
KeyboardPowerCaseMouse
Logitech G11 Corsair HX1000W Antec 1200 Logitech MX518 
Mouse Pad
Xtrac Ripper 
  hide details  
Reply
Believe i7
(13 items)
 
  
CPUMotherboardGraphicsRAM
Intel Core i7 920 @ 3.8GHz Asus Rampage II Extreme EVGA GeForce GTX 280 SSC Corsair Dominator 3x2GB DDR3 1600 
Hard DriveOptical DriveOSMonitor
Western Digital VelociRaptor 150GB idk generic disk drive Windows Vista Home Premium x64 SP1 Acer AL2216W 22" 
KeyboardPowerCaseMouse
Logitech G11 Corsair HX1000W Antec 1200 Logitech MX518 
Mouse Pad
Xtrac Ripper 
  hide details  
Reply
post #7 of 14
The first thing I thought when I saw the title was: "I'm Rick Hansen with dateline NBC.."
post #8 of 14
Quote:
The Cambridge researchers have already discovered one profile solely designed to pump out spamvertising for an online Viagra distributor.

Now I have to clean Vault off my CRT...Seriously, Viagra distributor to children?!


I think my router earned an indefinite stay of execution...lemme go find this guy...
Boot to the Head!
(13 items)
 
  
CPUMotherboardGraphicsRAM
Athlon64 X2 4200+ @ stock Epox 9NPA+SLI XFX 8800GS 384 4x1GB G.Skill DDR400 @ stock 
Hard DriveOptical DriveOSMonitor
120GB WD + 1TB WD GP + 320GB WD AAJS Mystery DVD-RW Vista Ultimate x64! ViewSonic P220F CRT + KDS 15" CRT 
KeyboardPowerCaseMouse
$3 Compaq keyboard with pretty aluminum finish ThermalTake PurePower 500W Rosewill R230-P-BK Wired Optical 
Mouse Pad
Table. Mouse pads are overrated 
  hide details  
Reply
Boot to the Head!
(13 items)
 
  
CPUMotherboardGraphicsRAM
Athlon64 X2 4200+ @ stock Epox 9NPA+SLI XFX 8800GS 384 4x1GB G.Skill DDR400 @ stock 
Hard DriveOptical DriveOSMonitor
120GB WD + 1TB WD GP + 320GB WD AAJS Mystery DVD-RW Vista Ultimate x64! ViewSonic P220F CRT + KDS 15" CRT 
KeyboardPowerCaseMouse
$3 Compaq keyboard with pretty aluminum finish ThermalTake PurePower 500W Rosewill R230-P-BK Wired Optical 
Mouse Pad
Table. Mouse pads are overrated 
  hide details  
Reply
post #9 of 14
Quote:
Originally Posted by Betrivent View Post
The first thing I thought when I saw the title was: "I'm Rick Hansen with dateline NBC.."
*Chris Hansen


...Not that I would have any reason to know that or anything...
Edited by Solertia - 12/15/08 at 1:25pm
Believe i7
(13 items)
 
  
CPUMotherboardGraphicsRAM
Intel Core i7 920 @ 3.8GHz Asus Rampage II Extreme EVGA GeForce GTX 280 SSC Corsair Dominator 3x2GB DDR3 1600 
Hard DriveOptical DriveOSMonitor
Western Digital VelociRaptor 150GB idk generic disk drive Windows Vista Home Premium x64 SP1 Acer AL2216W 22" 
KeyboardPowerCaseMouse
Logitech G11 Corsair HX1000W Antec 1200 Logitech MX518 
Mouse Pad
Xtrac Ripper 
  hide details  
Reply
Believe i7
(13 items)
 
  
CPUMotherboardGraphicsRAM
Intel Core i7 920 @ 3.8GHz Asus Rampage II Extreme EVGA GeForce GTX 280 SSC Corsair Dominator 3x2GB DDR3 1600 
Hard DriveOptical DriveOSMonitor
Western Digital VelociRaptor 150GB idk generic disk drive Windows Vista Home Premium x64 SP1 Acer AL2216W 22" 
KeyboardPowerCaseMouse
Logitech G11 Corsair HX1000W Antec 1200 Logitech MX518 
Mouse Pad
Xtrac Ripper 
  hide details  
Reply
post #10 of 14
"Why don't you have a se--VIAGRA FOR 0.50$$$$$$$$$$$$$$$ PER 10 PILLS"
Akiyama Mio
(13 items)
 
  
CPUMotherboardGraphicsRAM
E6420 @ stock, 0.98v Asus P5N-E SLI Gainward GTX 460 1GB @ 800/1600/1900 2x2GB Kingston @ 800MHz 5-5-5-15 2T 
Hard DriveOptical DriveOSMonitor
WD 250GB, 320GB SATA/3, 16MB Cache, Seagate 1TB LG GSA-H62N 18x SATA Ubuntu 9.10 x86 & Win7 x86 Asus VW222U 
KeyboardPowerCase
Logitech Classic Corsair 650HX NZXT Apollo Black 
  hide details  
Reply
Akiyama Mio
(13 items)
 
  
CPUMotherboardGraphicsRAM
E6420 @ stock, 0.98v Asus P5N-E SLI Gainward GTX 460 1GB @ 800/1600/1900 2x2GB Kingston @ 800MHz 5-5-5-15 2T 
Hard DriveOptical DriveOSMonitor
WD 250GB, 320GB SATA/3, 16MB Cache, Seagate 1TB LG GSA-H62N 18x SATA Ubuntu 9.10 x86 & Win7 x86 Asus VW222U 
KeyboardPowerCase
Logitech Classic Corsair 650HX NZXT Apollo Black 
  hide details  
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Software News
Overclock.net › Forums › Industry News › Software News › [TheReg] 'Facebook for Kids' slammed by security researchers