Facebook wannabe Diaspora hit on security issues
Testers of an early version of the source code say it's full of holes
Computerworld - The open-source project called Diaspora is being pitched as a secure and more privacy-friendly alternative to Facebook, but it is already running into early criticism over security issues by those who say they have tested it.
The team behind Diaspora this week released a pre-Alpha version of their source code on the open-source hosting site GitHub. The code is designed to spur development activity around the platform.
The code release was accompanied by a warning that it is by no means bug free. "We know there are security holes and bugs, and your data is not yet fully exportable," Diaspora said in announcing the Alpha release.
Even with that caveat, though, early reviewers have been unsparing in their criticism of Diaspora's security features -- or lack thereof.
"Basically, the code is really, really bad," Steve Klabnik, CTO of CloudFab, wrote in his blog. "I don't mean to rain on anyone's parade, but there are really, really bad security holes" in the code.
Diaspora was born earlier this year largely in response to privacy issues related to Facebook's data collection and usage practices. The effort is being spearheaded by four New York University students: Daniel Grippi, Maxwell Salzberg, Raphael Sofaer and Ilya Zhitomirskiy.
In the months since the effort began, it has attracted growing interest from Internet users and more than $200,000 in donations on sites such as Kickstarter. It has also received considerable attention from mainstream media such as the New York Times which ran a lengthy profile soon after Diaspora was launched.
The basic premise behind Diaspora is that it will allow users to have social networking functionality similar to that offered by Facebook, but with far greater control over personal data.
According to a description on the project's Web site, Diaspora will allow users to set up 'seeds' or personal servers, that they can use to store their personal data and share it directly with their friends instead of routing it through a centralized hub as with Facebook. "Friend another seed and the two of you can synchronize over a direct and secure connection instead of through a superfluous hub," the site says. "Our real social lives do not have central managers, and our virtual lives do not need them."
Klabnik himself described security errors in the code as the sort that a professional programmer would not make. In an interview, Klabnik said the sort of errors he discovered are of the sort that allows anyone to change another user's name, password, profile, images and other details easily. "There's nothing you can't do to someone else's account," he said.
While it's natural to expect some errors in pre-release code, the sort of flaws present in Diaspora, and the sheer number of them, is unusual, he said. "The whole point of this is Facebook doesn't protect privacy. If that's the goal, people have a reasonable expectation that this would be better."
Meanwhile, Patrick McKenzie, a blogger and software developer based in Japan, has been using Twitter to warn users to stay away from early versions of Diaspora because it is "screamingly unsafe." McKenzie said he has so far discovered at least five major vulnerabilities, with the first one found less than five minutes after he downloaded the source code.
The sort of security issues he discovered include cross-site scripting flaws, code injection vulnerabilities as well as authentication and authorization flaws. The fact that the code is freely available to anyone on the Internet means that many people will install and use it without being aware of the security issues, he said.
On GitHub, reviewers have so far raised more than 140 issues, several of them dealing with security concerns such as cross-site scripting errors and code-injection errors.
Diaspora did not respond to e-mailed requests for comment. However, the project has its share of supporters. Many of those commenting on the release of the Alpha code said that bugs being uncovered in code at this stage are not all that uncommon.
"This code was released to developers as an incomplete preview," cilantro said on Y-Combinator. "I'm not sure why people are holding it to the same standards as a finished product that's being released to end users. Seems like a pretext to talk trash."
Read more about Web Apps in Computerworld's Web Apps Topic Center.
- The DDoS Threat Spectrum Bolstered by favorable economics, today's global botnets are using distributed denial-of-service (DDoS) attacks to target firewalls, web services, and applications, often simultaneously.
- Need to Replace MS Threat Management Gateway? Read this article to learn how F5's Secure Web Gateway solution provides a full set of features that can help you successfully migrate...
- The Shortfall of Network Load Balancing Applications running across networks encounter a wide range of performance, security, and availability challenges as IT department strive to deliver fast, secure access...
- Leave No App Behind with Software Defined Application Services F5 Software Defined Application Services (SDAS) is the next-generation model for delivering application services that enables service injection, consumption, automation, and orchestration across...
- Keep Servers Up and Running and Attackers in the Dark An SSL/TLS handshake requires at least 10 times more processing power on a server than on the client. SSL renegotiation attacks can readily...
- On Demand: Mastering the Art of Mobile Content Management Mobile device usage in the enterprise has skyrocketed, and it continues to escalate. IT must answer to users who demand access to their... All Web Apps White Papers | Webcasts