Discover Network Security News
Defenses lacking at social network sites
On the initial login page, LiveJournal members send their passwords in the clear. "We're hoping to change that in the next month," Fitzpatrick said. "But site performance is our highest priority, and SSL is a pain."
Jack (not his real name) is an LJ user whose account was compromised. He isn't sure how it happened, but one day he logged in and discovered a huge portion of his journal entries had been deleted. The attacker didn't stop there -- she or he also plundered his friends' "locked" entries (visible only to other friends) and reposted extremely private exchanges as public entries in Jack's journal. Although he quickly changed his password and fixed the problem, the damage was done. "My friends were really upset and the bad feelings persist," he said. One friend feared that she might lose her job when a private entry about problems with her supervisor was made public on Jack's journal. "It's still cached on Google," he explained, "although it would probably be hard for most people to find unless they knew all the details."
The link for this article located at SecurityFocus is no longer available.