Facebook file-sharing could be security, piracy nightmare
Facebook has started to roll out a new file-sharing capability -- and Dropbox shouldn't be the only worried party. The addition of a low-security file-sharing tool to the world's most popular social networking site could open a world of security pain on businesses and home users alike.
Facebook's new file-sharing feature enables members of Facebook Groups to upload and download files as large as 25MB, with only two file-type restrictions: no music files (such as MP3s) and no executables (files ending with ".exe"). Beyond that, everything is fair game. Facebook won't police the file swap either; it's entirely up to users to report content that's pirated or dangerous. Additionally, there are no security controls for permitting limited or full access, as you might find on Dropbox.
Facebook's descions to restrict the sharing of music files is curious, to say the least. Music companies may applaud the restriction, as it means Facebook users won't be able to readily swap pirated tunes. However, it also means that members of a Facebook music group won't be able to to share samples with fellow band members -- or a new track with their followers. Meanwhile, users will still be able to freely exchange other potentially pirated digital materials, such as e-books, digital comics, and videos. In other words, the restriction appears to have little to do with protecting musicians' intellectual property. It also means Facebook isn't introducing competition to its tight integration with Spotify.
Facebook's security case for restricting .exe files is easier to swallow, but it's hard to take seriously. Sure, it will keep cyber criminals from uploading executable malware files for would-be victims to download and open, but there's nothing to stop bad guys uploading a tantalizing, malware-infected PDF files or Word documents to a group for marks to download.
The fact that file-sharing is limited only to Facebook Groups isn't much of a security measure either. Facebook Groups are a snap to create and to join. In fact, the site lets users add their friends to groups without the need for consent. A cyber criminal would need only create a fake profile (perhaps one featuring a photo of a scantily clad female), join any number of groups, and upload infected PDF files with tantalizing, targeted names ("10 ways to advance in Game X" or "Newest script for TV Show Y") for users to download and open.
Organization with users who access Facebook already face potential security threats, as the site is a haven for cyber criminals to exploit end-user ignorance, duping them into clicking links to phishing and malware sites. This feature lets bad guys present infected files on a platter to the supposed safety of Facebook -- giving them a convenient means of duping users into infecting their machines via a platform over which IT admins have no real control.
(Source: infoworld.com)
