I can understand your concern, but there are several things that do reduce the risk.
For your typical situations where the cracker is hacking to steal information or spam ads or malware:
- If they hack into their Facebook account, they will probably be more interested in that than our forums. In fact, unless they have done some research on the individual (as opposed to cracking as many accounts as they can to spam Facebook), they would not even know that they are a member of our forums.
- Part of the reason why you ask for a forum username when they sign up is so that they look exactly like other forum users to the outside world. Once a user creates an account, there is no visible way to see they logged in with Facebook Connect, or if they logged directly into the site.
- Why would they want to hack into their forum account to spam, when they could simply sign up with their own free account and spam? They might think they are covering their tracks, but we have their IP address no matter what login they use. It is easier for them to create a throwaway e-mail address and create a new account than to hack into Facebook so they can login to our forums.
- The forums do not really contain any sensitive data anyway, so why break in for that purpose? More juicy information like contact information is in Facebook, not our forums.
For situations where the attack is directed at one individual specifically for defaming or harassing them:
- The hacker probably did his research and would be able to get into the forums as well anyway, because even if we did not allow Facebook Connect (or others), most users use the same password anyway. So once they hacked Facebook, the would login to the forums with the same credentials. In this type of situation, Facebook Connect is just as vulnerable as not having it, since the hacker is just as likely to login as that user.
- Of course, this is assuming that the hacker knows that "John Doe" on Facebook is username "Guerrilla" on the forums. Unless they know them well enough to know their aliases on the forums, they may not even know their mark is active on our forums.
You are right there are issues, but I think you have the same exposure to problems (spam, etc.) whether you implement Facebook Connect or not for the typical member.
The only ones I would be concerned about are Administrators and Moderators. But that can be readily remedied by forcing Administrators and Moderators to enter their forum password, even if they are logged in with Facebook Connect, similar to how you have to reenter your forum password to get into the Admin area, even though you are already logged into the forums.
Or simply not allow Admins or Moderators to login with Facebook Connect (or others) and force them to login with their forum username and password. They can still associate their Facebook Account with their forum account (for the ability to make mashups with the data), but remove the ability for them to login with Facebook Connect.
So, while it is true that it opens up an additional vector of attack, unless it is a personal attack, there actually are easier ways to bypass forum security, especially for spamming purposes.
Edited by wistex - 21 December 2009 at 5:13pm
Topic Options
Post Options
Thanks(0)
