Hundreds of Facebook groups were turned into zombies on Tuesday in an attempt to display just how vulnerable social networkers can be. Using a design flaw in Facebook's groups feature, a group called Control Your Info found Facebook groups where the administrator had stepped down, joined the group, claimed the vacant administrator spot (which is open to any group member when the administrator leaves) and changed the name to Control Your Info.
"When you're admin of a group, you can basically do anything you want with it," the group's Web page states. "You can change it's name, and the groups members won't even get a notification of it. You can send mails to all members and edit info." An evildoer could seize a widowed group (such as the hypothetical group "Sweet Valley High LoOoOoVeS Robert Pattison," for instance) and change the name to something offensive (like "The Coalition for Pedophile's Rights"), thereby damaging the image of the group members.
Control Your Info's principals spoke via Skype to FastCompany.com on Tuesday. They chatted as a group and declined to give their names but they are four students from Hyper Island, a progressive school program in Sweden that focuses on digital media and communications. (Read a Fast Company piece about Hyper Island from the March '09 issue here.) The foursome is using the experiment as their final project and will present it on Wednesday. Do they consider this project a success? "We like to think so," they said. "The first reactions we got were anger. This was not our intention at all, but some people who were in hijacked groups reacted by getting upset. But now, it seems that the anger has settled, and that people have started discussing in a constructive way."
Though a bit of a stunt, the group has a valid point about online security and does a good job of pointing out a flaw in Facebook's design. When an admin leaves, Facebook should have a better security process, such as giving current members a week to claim the admin spot, then shutting down the group if no one does. Facebook users should think extra hard before putting online reputations in the hands of a total stranger who also happens to love B'Elanna Torres from Star Trek Voyager or the onion rings at Sonic.
Was Control Your Info's project effective? Sure. If Facebook wasn't aware of the problem before, they are now. But is exploiting a rare and random design flaw (instead of, say, an e-mail to Facebook) the most effective way to continue a cause? Not really. Control Your Info's Facebook fan page has been disabled, as have accounts that got tangled up in the hijacking. Control Your Info backed up all the information from the original groups that were hijacked, but since their Facebook accounts were disabled, they're no long admins and can't restore the group info. "We will find some way of providing it back to the people who it belongs to," they say. Whoops.
It would be impressive if Control Your Info continued using guerrilla tactics to expose problems with other popular services, such as Twitter or YouTube, but when asked if they planned to follow up their Facebook stunt, the group hedged. "We wanted to provide a platform for discussion for the people. We didn't want to be in focus ourselves. It seems like the discussion is starting up. If we can be outside of the discussion, we will."
Related Stories: | Topics:Ethonomics, facebook, Facebook groups, privacy, security, social networking, Hyper Island, Control Your Info, Online Privacy, Facebook Inc., Science and Technology, Technology, Internet, Social Software and Tagging |
Email
Digg
StumbleUpon
Facebook
Buzz Up!
LinkedIn
Recent Comments | 2 Total
November 11, 2009 at 3:10pm by Gen Hendrey
I strongly disagree with your proposed "better security process":
"...giving current members a week to claim the admin spot, then shutting down the group if no one does."
Shutting down the group??? Dissing who knows how many engaged users, deleting their group contributions, and eliminating their group data? Yikes! Not every group is some dumb joke about Twighlight. There are tens of thousands of groups that represent the sole, online organizational platform of a real-life activity--like school reunions, non-profit events, community associations, musical groups etc. (uhhh..maybe that's even why some groups were miffed at being highjacked for a class project by some group-disinterested teenagers).
How about having a more real-world flow, where part of the quit-being-an-admin process is that the outgoing admin is asked (but not required) to approve/nominate/select or otherwise identify a new admin(s), who can take whatever time is needed to accept/decline/etc.
If no suggestion is made, or if some pre-set period of time expired without a new admin's acceptance, or if the new admin declined, then rather than foolishly delete the entire group, Facebook could simply "lock the door" to new wannabe admins, let group activity continue, and put some simple kind of flow in place to allow a user to request and take ownership of a group.
There are examples of other changes on Facebook that are individually approved by Facebook. For example, all real-name changes must be requested and approved. Whether it's people or software approving the name changes is irrelevant. If they can handle requisite approval of name changes, they can handle reqisite approval of group-ownership requests.
November 12, 2009 at 4:43pm by CA ISBU
Interesting article. I think it’s important to note that in a computer security sense, the term “Zombie” typically refers to computers which have software secretly installed and are at least partly controlled from a remote computer.
The article and Control Your Info point out a few design vulnerabilities: group name and acting administrator can be changed without any consensus from the group. These are both issues relating to control of personal information, privacy and possibly even security. Facebook should develop a mechanism that incorporates democratic qualities to restrict how easily these can be changed, building in oversight from the members, but not being overly time consuming and cumbersome. Ultimately, Facebook uses should wield control of their information and privacy.
One thing this article or Control Your Information does not point out is that it would be possible to use Facebook groups to push malware. For example, any group 'member' can post links. These links could redirect to a carefully crafted webpage that installs malware. Since videos, recommendations, and links to external sites are quite common in groups, and because some level of trust has been previously established, users might be easily fooled and this could be a successful mechanism for malware authors that use the calculus of targeting a small audience with the hope of greater returns (vs large audience/distribution and small returns). There are a lot of investment banking groups, for example. These could be targeted with a keylogging trojan and financial accounts of the members could be compromised.”
Benjamin Googins
Malware Researcher, CA Internet Security