Positive Developments from Facebook

A few months back, I recall security analyst Kevin Johnson musing that the security community often hears negative stories about hacks and vulnerabilities, but rarely does one see positive reports about the times when security works and black hats fail. I thought about this during the Month of Facebook Bugs, when I came across one application (My City) whose ASP.NET framework blocked my XSS attempts stone cold.

While it’s no secret that I don’t always see eye-to-eye with the leadership of Facebook, I wanted to take this post to give them a few shout-outs instead of critiquing. Amid all the negative reports about Facebook decisions, I have seen a few developments I find encouraging.

First, Facebook has taken action against deceptive advertisements and ad networks that harvest application credentials to access user information. While I’ve argued that some of these steps were long overdue and that Facebook could have done even more, I’m grateful that they did something and that they cracked down hard on credential hijacking.

Second, one of the main responses I’ve advocated for application problems is simply to better educate developers, and I would say that Facebook has done a much better job emphasizing security issues recently. (I’m not taking credit for the change, simply applauding it as a move I endorse.) Last month, Ryan McGeehan (Facebook’s manager for security incident response) posted an official blog entry reminding developers of important security issues, providing helpful resources on the subject, and announcing a new Platform wiki article with even more information. I know from experience that Ryan is a great guy who cares about security – he patiently fielded dozens of e-mails from me in September as I relayed details on the Month of Facebook Bugs. I’m thrilled to see a security section on the main documentation site for the Facebook Platform. By the way, Facebook also has a fan page with information on security, including a section dedicated to white hats – you can get your name there if you follow their responsible disclosure guidelines.

Finally, Facebook began enforcing new, stricter Platform policies today. Among the changes, developers are now required to

Provide a link to your privacy policy in the Info section of your Application Profile page and on every page of your application.

I was honestly surprised that Facebook would require a link on every page. After seeing quite disappointing results in my study on application privacy policies this summer, I congratulate Facebook on raising the bar. Many users may not notice the new links, but a encouraging developers to establish and advertise privacy policies is a step in the right direction.

While I’m not afraid to make noise about negative trends or privacy risks I see in services such as Facebook or Google Wave, at the end of the day, it’s nothing personal. I may disagree with the developers or executives at Facebook about product architectures or content sharing, but I think we can all agree that we want to protect end users. The three steps listed above certainly help that goal, so in that regard, kudos to Facebook.