The high-profile hack of the Facebook founder’s fan page should serve as a lesson in social network insecurity
A hacker may have done the Facebook world a favour by cracking the social network’s CEO and founder Mark Zuckerberg’s fan page. The posting of an unofficial status comment to the page shows the vulnerability of the simple plain text password system and such a high profile exploit may spur some action.
It is not known whether the hacker merely guessed the user name and password, brute forced the access using a dictionary attack or actually found a vulnerability to bypass the security system.
No Comment From The Z-man
Facebook has yet to comment on the circumstances of this attack, and of the recent similar attack on the page of Nicolas Sarkozy, the French president. But the Zuckerberg page has now been withdrawn.
The hacker posted the following message:
“Let the hacking begin: If Facebook needs money, instead of going to the banks, why doesn’t Facebook let its users invest in Facebook in a social way? Why not transform Facebook into a ‘social business’ the way Nobel Prize winner Muhammad Yunus described it? What do you think? #hackercup2011”.
The #hackercup2011 tag could indicate that it was the work of a would-be prize-winner in a current Facebook hacking competition.
As with a January 8 spoof news story about Facebook closing down in March, many people were taken in by the posting, despite the hacker effectively signing his or her work. Before the page was taken down by company officials, over 1,800 Facebookers had hit the “Like” button and more than 500 people had added Comments.
Graham Cluley, senior technology consultant at Sophos, has said that 2011 will be the year when social network security, or lack of it, comes to the fore as an issue. He told eWEEK Europe, that it may not be entirely Zuckerberg’s fault. “It’s possible that his fan page is administered by a cohort of minions, rather than just the Z-man himself,” he said.
He moved on to say that, despite details of the hack not being available, it underlines some basic principles. Passwords should be devised that are difficult to guess and not shared with others, and free Wi-Fi services – which are more widely available in the US, but available here at hotels and outlets like Starbucks – should be treated with caution.
“If you’re accessing the Internet via free Wi-Fi (think Starbucks) then either ensure it is encrypted or set up an https connection to avoid the threat of sidejacking by the likes of Firesheep. If [a hack attack] can happen to a high profile page like Zuckerberg’s – none of us are immune,” Cluley said.