This is not intended to be an intensive review of Facebook & Twitter’s security problems, just some fixes for what I think are the biggest issues facing these two sites.
Facebook – Rouge Applications and Malware links
By far, one of the biggest problems Facebook currently has it’s due to it’s open model of app development. The problem is – what do those apps really do? Who is behind them? How do I know they won’t spam my friends? Etc.
I think there is a simple fix for this that entails a few different pieces revolving around adding new applications. When you click on an app it’s asks for permissions and the page is pretty generic. Here’s how to fix that:
- Add a link to the authors Facebook profile page. Facebook could validate authors and delete bogus ones. Perhaps don’t even allow a developer to release an app unless they have been on Facebook x amount of days or have x amount of friends. That would help lock out the fly by night rouge developers.
- List explicit details as to what the app as access to (and not just “stuff everyone else can see”). Can this app email all my friends? Can it see my phone number? Etc.
- While we are it in #2, allow users to check and uncheck certain permissions before allowing access instead of blanket allow permissions.
- More a privacy issue than security but this one really bugs me! Facebook should require a tagged person in a photo to approve it before it can tag you. After the fact is already too late. They have the new check-in feature set up this way so you can’t check someone in automatically.
- Same thing as above really, but in the new groups feature you can add people to a group page before they even say they want to join it. WTF Facebook?
Twitter – Malware hidden in shortened URLs
This one is pretty easy though I’m no code expert. Here is what Twitter could do:
- Allow you to mouse-over shortened URLs with a popup preview of what the URL actually is. Probably pretty simple to implement.
- Since it’s a database driven application, it would be pretty easy to disable malware URLs when it detects them. Ie, Twitter Security person finds a virus spreading via short URLs (or regular URLs). Twitter could strip that URL out of all users Tweets and DMs, making browsing Tweets a much safer experience.
That’s all for now. Since most sites these days don’t REALLY care about security (right Gawker?) OR privacy, most or all of this would never see the light of day.
URL preview built into site