Friendster Bug?

fslogo

I am currently studying some of the existing social networking sites for one project that I have been doing. In my laptop, my profile cookie in Friendster is saved since I am the only person using that laptop. That alone would save me from entering my credentials over and over again when I visit that page.

A certain concept in the design of social networking sites is common across sites and that is having a “limited” profile view. That is, you won’t be able to see the whole profile of the person you are viewing unless you are a contact or a friend of that person. Facebook’s implementation is too conservative while LinkedIn’s is customizable. Beyond Multiply (which I am more familiar with), Friendster is one of those popular social networking sites here in the Philippines, and I reviewed it. I barely check on other’s profile that’s why I don’t have a complete picture of how can you view a restricted profile in Friendster. I opened my IE wherein I am not logged-in in Friendster. I was able to see the “restricted” view of my friend’s profile BUT I noticed that the “Login” link was changed to “Log Out”. When I clicked on the “Profile” tab, my page was loaded.

I logged-out from Friendster in IE (even if I didn’t log-in), had a hard refresh (ctrl+f5) around 5 times. Closed the browser and repeated the same steps again and I found out that I was even logged in after all those things. Could this be another case of a faulty security implementation? As far as I know, two different browsers cannot share the same cookie of the same domain. From what I suspect, Friendster could have been storing sessions of users in their database that includes the username/email of the person, IP address, and the time they were last seen online. If a request has been made from another browser (say in my case in IE, where I am not logged-in) when a user tries to view a user but isn’t logged-in, the request would check from the database if an active session is in place from the same IP address and if a record is found, the request would make an authentication cookie in the browser even if he/she hasn’t logged-in in the system. I think this scenario is a security concern – case for example would be in a typical internet cafe set-up where only one public IP is being published, it is possible that even if you’re not logged-in in your account, you would be able to gain some “control” over the other accounts. While other features would prevent you from changing the password but the mere fact that you are able to log-in to an account isn’t yours or didn’t intentionally log-in, once the intruder makes some changes to your profile, it could mean a lot of things especially those that can see the spoiled information.

I am not sure if you can replicate the error, I think it is not just happening to me. Try it and let’s talk it over.

Advertisements

6 thoughts on “Friendster Bug?

  1. Dami talagang bug ang fs.
    Even their FS Userplane webchat, nagkalat ang mga hackers.
    they will gain control of your account pag nakursunadahan ka.
    Kunti na lang tuloy ang show.

  2. I considered friendster as a poorly made social network for old people.

    What you do on that site beside share picture and write testimonial? Change theme is way too difficult and make people put in pictures that make their profile look UGLY…

    now they are bundling with some APPS (just an api copy ideas from FB)

    FB is on it’s edge of no-one-gonna-use-anymore-except-filipino…

    There’s really notthing to study about Friendster unless they change their whole buggy system…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s