Facebook and Twitter social media API security

I’ve wondered for some time whether it might be possible to develop a security app for Facebook, that provides protection at levels similar to Internet security suites. My research has concluded that providing a scanning, tracking and notification based AV type system is very difficult to deploy due to restrictions in the Facebook and Twitter APIs.

There are several Facebook apps that scan messages, posts, emails etc but chat conversations and external ‘likes’ (JavaScript threats anyone?) cannot be scanned by means of the Facebook Graph API. There is also the small issue of Facebook apps where filtering is only partially possible on some pages. Deleting objects (page permissions) from pages can be done, but we cannot stop the pages from being published. So this isn’t of any use in protecting/alerting end users. Alerting a user is very difficult given the limitations of the Facebook mechanisms that are currently in place. Tracking is partially possible, but as I stated above, Facebook Chat cannot be monitored at this time (IRC threats anyone?).

Twitter on the other hand uses a much more flexible API, but the data that is shared on Twitter is somewhat smaller and personal data isn’t shared so readily (apart from mobile images which can contain geo-specific data). Unlike Facebook, Twitter allows developers to scan the API, as you are given full access to any object, accept the user apps. Twitter also allows filtering on content whereby Tweets can be deleted but cannot be blocked before posting. You can see that this allows users to be alerted but unfortunately there is no blocking functionality. The blocking component is of prime importance for any type of social media security app.

There have been some interesting discussions in my security circle over the past few months concerning Twitter and Facebook developing a Microsoft style restricted API. So what could we do? The restricted API would give security vendors access to filtering, access to all the objects and blocking mechanisms along with an application digital signature which users would have to validate.

As you can see, there are limitations for third-party security vendors when it comes to protecting social media end users. Facebook and Twitter have a responsibility to protect their users and recently Facebook/Websense announced URL filtering but this is only the start. More must be done as more and more people use Facebook and Twitter for their everyday communication.

Safe surfing folks!

This entry was posted in browser, facebook, privacy, twitter and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *