Facebook rival Diaspora facing security struggle
Diaspora, the potential open-source rival to Facebook, is riddled with security issues, according to security bloggers and hacker forums.
Just one day after launching pre-alpha code, vulnerability spotters have deconstructed the code and found several security issues that need fixing before the service is unleashed on the public.
The team behind the code plans to release the full alpha code for the project – which is touted as a privacy-centric alternative to Facebook – in October, but they have their work cut out.
Diaspora’s own “known issues” discussion has plenty of comments reporting the possibility of cross-site scripting attacks through the injection of HTML in comments and other input fields.
There are already 118 issues on file, although most relate to glitches rather than security threats.
Diaspora did warn its community that the release was buggy and had security issues, saying: “Feel free to try to get it running on your machines and use it, but we give no guarantees. We know there are security holes and bugs, and your data is not yet fully exportable.”
However, developers were critical that there appeared to be no method for privately reporting exploits and vulnerabilities, only a bug tracker that was public and would reveal reported weaknesses to the world.
“Please publish a security reporting page at the earliest possible convenience, because this will have private info on it and that is a very bad idea right now,” wrote one developer going under the name patio11, on the Hacker News website forum. “There are several vulnerabilities in Diaspora and I think releasing this was very premature.”
The Diaspora team has since published an email address for secure reporting, but such an oversight will raise concerns over the security focus of the project.