Children's social networking site hit over security flaws

A new social networking site for children has been criticised by a security expert.

 

Posting on the Light Blue Touchpaper blog, University of Cambridge cryptographic scientist, Joseph Bonneau said that ‘School Together Now' is full of security holes including the lack of a username or password login and ‘a pattern of poor security choices driven by the desire for rapid commercialisation.'

 

Bonneau claimed that it ‘makes no attempt to ensure that users are who they claim to be. Creating an account requires just an email address and a name. Neither of these values is checked, so a user could be anybody: a child, an adult, a child predator, a web spider, or a spambot (we have already observed a profile consisting solely of information about an online Viagra distributor).'

 

He also claimed that there is no attempt to verify a user's age, which should be good practise at least. He said: “Currently, one can create an account giving unlimited access to the site without providing any false information or even agreeing to terms of service! The site similarly makes no effort to verify claimed affiliation with a school or a parent account.

 

“We were able to link our test account to any primary school we wished. Facebook, by comparison, requires a valid email address in a school's domain to join academic sub-networks. Child accounts can also accept a parent link request with a single click. This is asking for trouble, as children might feel obliged to accept a request from generic names like ‘Mom' or ‘Dad'.”

 

He further claimed that the information-sharing model is fundamentally broken as the default settings share all entered information, which could include email addresses and phone numbers, with all users on the site.

 

All users can also post information to forums, which are viewable to the global internet – even search engine caches. Bonneau claimed that he was able to locate clearly sensitive information such as age, personal habits, school membership and location, which had been left in forums for weeks.

 

Bonneau said: “School Together Now has further ignored several ENISA recommendations such as having privacy settings default to the highest level. As a result, information shared with School Together Now is as visible as that on a public internet forum.

 

“From a security perspective, though, School Together Now is far worse because it claims to provide a ‘safe and secure environment for children' (conceivably a violation of truth in advertisement guidelines). The perceived security encourages disclosure of private information by children, the site then functions as a convenient aggregation point for predators to trawl.

 

“Why would a website, ostensibly started by a concerned mother, launch with such lax security? Why would the site have fewer safety measures than Facebook, which specifically excludes children for security reasons? Numerous coding flaws in the site indicate both rushed engineering and a preoccupation with advertising revenue. ‘Advertisers' are a user class, links to ‘Classified Ads' and ‘Job Postings' are prominently displayed throughout the site, and even children are encouraged to ‘Become an Affiliate' and ‘Start Earning Today!'”

Sign up to our newsletters