News Stay informed about the latest enterprise technology news and product updates.

Twitter security hole highlights need for a social media policy today

Once again, Twitter security is in the headlines. Yesterday, SEO expert Dave Naylor posted that James Slater had found a cross-site scripting vulnerability in Twitter. Cross-site scripting (XSS) is a common – and nasty – security exploit allows a malicious hacker to insert JavaScript code into links that a user believes are trustworty. Instead of sending a user to a given website, that script would then execute, which could allow any number of ugly outcomes, including worms, malware infections or harvesting of session cookies.

While no apparent damage to privacy or senstive data has occurred through this XSS exploit, the lesson from the past 24 hours is that a social media usage policy needs to be drafted, promulgated and enforced ASAP.

Although Ben Parr wrote on the social media blog Mashable that Twitter exploit had been fixed, echoing Twitter staff comments, Naylor followed up today with evidence that the Twitter exploit still works – just visit @APIfail2 for a (harmless) example. You’ll need to view the account using a Web browser, given that 3rd party clients are not affected by the issue.

TechCrunch has picked up the lack of resolution to the Twitter security issue. Robin Wauters, the author of the post, has sought further comment from the startup. Although the security team at the online social messaging startup is no doubt working overtime to address the issue in a more substantive way, this episode only adds fresh concerns about the Twitter security risks I reported on in June. Twitter may need to hire a CISO soon.

Such online security concerns, however, aren’t hardly limited to Twitter. If anything, Facebook is an even bigger target, both because of its size and the likelihood of more personal information in profiles. That reality hasn’t gone unnoticed by hackers, as rogue Facebook phishing applications popped up last week.

In this photo illu...

What does this all means for the compliance and security community? It’s time to get serious about addressing the risk by drafting a social media policy that uses available DLP technology, sets expectations for online privacy and, perhaps most importantly, includes user education about Web app security, social engineering and phishing. As I reported earlier this month in a story exploring social media and compliance, “fewer than one-third respondents in a recent survey said their organization had a policy in place governing social media use” – and “only 10% of the companies surveyed indicated that they had conducted employee training on such use.”

According to a another survey, from security firm AVG, only 27% social networking users are taking steps too protect themselves against similar online threats. According to “Bringing Social Security to the Online Community,” conducted with the CMO Council, 20% of social networking users have been the victim of identity theft. 55% experienced a phishing attack. And 47% said that they’ve had to deal with malware. Stark numbers.

In other words, if social media security wasn’t on your task list already, it should be now.

Reblog this post [with Zemanta]

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

I work for a large midwestern bank. Although our users complain (a lot) we block access to social networking sites from corporate computers. I'm sure some day we will need to open the door. But for now, simply keeping folks out seems like the best strategy. -- Michael Seese, CISSP, CIPP author of [A href=""]Scrappy Information Security