As if being ostracized by big-tech hosting and supporting services was not enough of a controversy for a large and rapidly growing social networking provider, allegations recently surfaced that the provider’s user data was leaked. Reports indicate that before Amazon removed the provider from its hosting service, an Austrian hacker claimed to have accessed users’ image and video files that were uploaded to the website, along with the associated metadata. Regardless of whether this information was obtained from publicly posted materials or from a hack, the issue reinforces the need to regard data security as a top application priority.
In light of this recent report, I thought I’d share some of my thoughts about application security based on my development experience. As an engineer and team leader working with countless existing client software products, I’ve seen poorly secured systems firsthand. As a result, AndPlus development teams have learned how to rapidly correct these pitfalls in inherited projects and also how to avoid them in new development projects.
One of the key principles followed at AndPlus is the “less is more rule” which means “less data is more security.” Our API endpoints and data delivery services always return the exact data required and never extraneous information. In the recent days, it has been reported that the social networking site was returning additional user information that made it straightforward to identify administrative users. This is akin to the classic spear phishing attacks, but without the need to scrape that data from a real person. Modern development architectures provide simple methods to strip unnecessary data, so it appears that there was a lack of consideration around what could go wrong if a malicious operator utilized these endpoints.
Another failure reported about the breach involved the social media provider’s fallbacks when a third-party communications service provider was unavailable. It appears that when the social media site was unable to send messages through the communications service provider for multi-factor authentication and “forgot password” messaging, the social media provider simply bypassed the validation steps. As a result, the password could be reset for any email address without needing the required token that a user typically receives as a part of the link in the email message. This fact alone could have created significant security vulnerabilities. In these situations, there are really two safe options: either fallback to another service provider, or give your user an error screen and halt the process. It is always better to interrupt a user’s access than risk the chance of a data breach.
Speaking of data, the “less is more rule” applies here as well; a system should never retain more data than it needs. Carefully managing data retention not only limits an application’s liability, but also builds the trust in the system that modern users expect and need. EXIF data, the metadata of images, can contain sensitive information about how the photo was taken, including the GPS-based location and creation times. If the data breach reports are accurate, the social networking provider failed to strip this EXIF information from images uploaded to its platform which gave the world a way to track the whereabouts of its users.
Finally, if something can be guessed, it will likely be guessed. For example, integer-based identifiers for data are easy to use and have a small storage footprint, but these are also the easiest type for machines to generate. Identifying user posts, videos, and images with numbers diminishes the challenge of scraping a site’s data.
Unfortunately for the social networking provider, their use of inter-based identifiers may have done just that — allowing for upwards of 80 terabytes of data to be effortlessly copied from their application. Instead of using inter-based identifiers, Globally Unique Identifiers (GUIDS) would have made guessing the identifier of the content nearly impossible. The sheer number of possibilities with GUIDS are astronomical: there are a billion times more potential GUIDS than there are stars in the universe. Utilizing these types of identifiers in most software development languages takes no additional effort, only the consideration to think about the “what if” scenarios of the future.
Over the coming days and weeks, I’m sure we’ll learn more about the claims of a data breach at the social networking site, but so far it appears that all of the reported security issues could have been easily avoided.
Despite the many security breaches that have occurred in recent times and the catastrophic implications of these data leaks, it seems that care and consideration to security is still lacking in some digital products or more importantly, in the mindset of the designers who create those products. The fact is, whether you’re a consulting firm writing software for a client, an enterprise-level corporation designing software, or a small startup trying to quickly build an application, intense focus on customer/product success and careful consideration to proven security guidelines can avoid many potential security pitfalls and failures.