Can we (and Boonex) afford to sit back and allow security issues like facebook happen.

I realise that security has been a major concern with the latest progression of updates from Boonex, however i believe we still have some way to go.

There is a situation that has happened recently that facebook have come up against that has huge implications for them and the members of facebook.  OK, Facebook has over 400 million users (don't think any Dolphin site has that) but just the same Dolphin site owners operate under the same laws and practices that facebook and other websites operate.

A copy and paste job here for an article that was featured on the BBC News webite : http://news.bbc.co.uk/1/hi/technology/10099178.stm

Facebook fixes embarrassing security flaw

Facebook has rushed to fix a security flaw that allowed users to eavesdrop on the live chats of their friends and see their pending friend requests.

The exploit used the site's privacy features - intended to protect a user - to expose the personal information.

With just a few clicks users could spy on their friends' personal chat messages and see who had requested to join their network.

Facebook temporarily removed the chat facility while it fixed the flaw.

The exploit - originally reported by the blog TechCrunch - worked via an option in privacy settings that allows people to preview their profiles as it would appear to their friends.

Prompt fix

But it was never intended to show others what their friends were actually doing.

"For a limited period of time, a bug permitted some users' chat messages and pending friend requests to be made visible to their friends by manipulating the 'preview my profile' feature of Facebook privacy settings," Facebook said in a statement.

"When we received reports of the problem, our engineers promptly diagnosed it and temporarily disabled the chat function. We also pushed out a fix to take care of the visible friend requests which is now complete," it added.

The chat function will be turned back on "shortly" it said.

"For any organisation, whether you are a social networking site or not, privacy breaches are worrying," said Candid Wueest, security expert at Symantec.

"Unfortunately, this isn't the first privacy breach of its kind to plague a social networking site - other high-profile sites have also been affected with similar problems."

He praised Facebook's quick response to the issue.

"Facebook has acted quickly in fixing the alleged flaw, whereas some social networking sites have been known to take days to fix issues reported," he said.

************************

I also became aware of this from an email that i received, the type that would normally hit my spam box straight away and I only opened by accident but it was an interesting read, also includes links to videos that include a facebbok user showing how the breach could be commited and also a listen in to BBC Radio News session about the facebook breach. The link was http://www.ynopp.com/fb/?ref=pdh for those interested.

The reason I have wanted to bring this to the Boonex/Unity community attention is to encourage people to be wary of these such issues for facebook as well as their own sites.

At present we can only work with what Boonex has provided, but it brings up the question again about updates and fixes.

Is a monthly schedule of updates and fixes a good time period, I know we don't want to be breaking and updating our sites daily but if something is serious and has been pointed out should we not demand that we get a patch to fix that issue on our sites straight away.

Facebook, with their 400 million users have the resources to act on these issues straight away, I know that Boonex do not have the resources but it is something that we all need to be aware of so we don't land ourselves in trouble.  I am no expert on law but if a breach were to cause some form of incident I am sure the site owner would be the responsible party not the makers of the software that we use.

(please if I am incorrect no need to start a flaming war about who is responsible, I am just providing some information, that I though would be of interest to people here.)