Facebook wannabe Diaspora hit on security issues

Testers of an early version of the source code say it's full of holes

The open-source project called Diaspora is being pitched as a secure and more privacy-friendly alternative to Facebook, but it is already running into early criticism over security issues by those who say they have tested it.

The team behind Diaspora this week released a pre-Alpha version of their source code on the open-source hosting site GitHub. The code is designed to spur development activity around the platform.

The code release was accompanied by a warning that it is by no means bug free. "We know there are security holes and bugs, and your data is not yet fully exportable," Diaspora said in announcing the Alpha release.

Even with that caveat, though, early reviewers have been unsparing in their criticism of Diaspora's security features -- or lack thereof.

"Basically, the code is really, really bad," Steve Klabnik, CTO of CloudFab, wrote in his blog. "I don't mean to rain on anyone's parade, but there are really, really bad security holes" in the code.

Diaspora was born earlier this year largely in response to privacy issues related to Facebook's data collection and usage practices. The effort is being spearheaded by four New York University students: Daniel Grippi, Maxwell Salzberg, Raphael Sofaer and Ilya Zhitomirskiy.

In the months since the effort began, it has attracted growing interest from Internet users and more than $200,000 in donations on sites such as Kickstarter. It has also received considerable attention from mainstream media such as the New York Times which ran a lengthy profile soon after Diaspora was launched.

The basic premise behind Diaspora is that it will allow users to have social networking functionality similar to that offered by Facebook, but with far greater control over personal data.

According to a description on the project's Web site, Diaspora will allow users to set up 'seeds' or personal servers, that they can use to store their personal data and share it directly with their friends instead of routing it through a centralized hub as with Facebook. "Friend another seed and the two of you can synchronize over a direct and secure connection instead of through a superfluous hub," the site says. "Our real social lives do not have central managers, and our virtual lives do not need them."

But initial reviews and comments on sites such as GitHub, Y-Combinator and Slashdot suggest that many are disappointed over the quality of the code released so far.

Klabnik himself described security errors in the code as the sort that a professional programmer would not make. In an interview, Klabnik said the sort of errors he discovered are of the sort that allows anyone to change another user's name, password, profile, images and other details easily. "There's nothing you can't do to someone else's account," he said.

While it's natural to expect some errors in pre-release code, the sort of flaws present in Diaspora, and the sheer number of them, is unusual, he said. "The whole point of this is Facebook doesn't protect privacy. If that's the goal, people have a reasonable expectation that this would be better."

Meanwhile, Patrick McKenzie, a blogger and software developer based in Japan, has been using Twitter to warn users to stay away from early versions of Diaspora because it is "screamingly unsafe." McKenzie said he has so far discovered at least five major vulnerabilities, with the first one found less than five minutes after he downloaded the source code.

The sort of security issues he discovered include cross-site scripting flaws, code injection vulnerabilities as well as authentication and authorization flaws. The fact that the code is freely available to anyone on the Internet means that many people will install and use it without being aware of the security issues, he said.

On GitHub, reviewers have so far raised more than 140 issues, several of them dealing with security concerns such as cross-site scripting errors and code-injection errors.

Diaspora did not respond to e-mailed requests for comment. However, the project has its share of supporters. Many of those commenting on the release of the Alpha code said that bugs being uncovered in code at this stage are not all that uncommon.

"This code was released to developers as an incomplete preview," cilantro said on Y-Combinator. "I'm not sure why people are holding it to the same standards as a finished product that's being released to end users. Seems like a pretext to talk trash."

Join the discussion
Be the first to comment on this article. Our Commenting Policies