Do Facebook URL security concerns justify blocking social networks?

BROWSE BY TAG Application Security,   Web Security Tools and Best Practices,   Application and Platform Security,   Web Application and Web 2.0 Threats,   Web Browser Security,   VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Application Security Is there a way to block iPhone widgets that bypass Web filters? Should enterprises be concerned with Twitter in the workplace? Are there still Google Desktop security problems? Will an application usage policy best control network bandwidth? Can an IP spoofing tool be used to spam SPF servers? How can URL-shortening services be manipulated? Is my security program ready for Web application firewall deployment? How to ensure the security of a shopping cart application When to use the service features of the Metasploit hacking tool Preventing cross-site request forgery attacks Web Application and Web 2.0 Threats New Facebook worm propagates using sexy model Web security firm ranks Firefox, Safari browsers as flaw prone Web application vulnerability assessment shows patching progress Layoffs prompt insider threat fears, cybersecurity survey finds Botnet masters turn to Google, social networks to avoid detection Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Kaspersky system analyzes malicious URLs on Twitter for malware Pushdo botnet uses Facebook to spread malicious email attachment Gumblar Trojan drive-by exploits spike following Adobe update Web Browser Security Exploit code targets Internet Explorer zero-day display flaw InZero Systems launches hardware-based security gateway Web security firm ranks Firefox, Safari browsers as flaw prone Microsoft fixes security update that breaks Internet Explorer Mozilla update repairs Firefox buffer overflow vulnerabilities Kaspersky system analyzes malicious URLs on Twitter for malware Silon malware intercepts Internet Explorer sessions, steals credentials Phishing attacks to remain a major problem, say security experts Adrian Perrig: Improve SSL/TLS Security Through Education and Technology New Bahama botnet evades search engines, fuels click fraud Web Browser Security Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary content filtering  (SearchSecurity.com) Web filter  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

I wouldn't classify this as a serious security concern. The Facebook URL setting that you mention, though, raises privacy issues and could lead to an embarrassing situation.

Like all Web 2.0 sites, Facebook uses Ajax technology to provide increased functionality and a better user experience. One method that Facebook uses to improve page load times involves concatenating, or joining character strings and link information, to the end of a URL. However, this means the URL for the profile you've just visited is still present in the new Facebook URL. If you copy and send this URL to someone else, they will be able to discern the previous step in your Facebook browsing history. As I said, this isn't a major security issue, but it does create an unnecessary, and potentially embarrassing, leak of personal information. For example, it could contain a link to a support or action group that you'd prefer to keep private.

You can avoid this particular problem simply by manually refreshing a Facebook page before you copy the URL from your address bar, as this removes any references to previous pages. I'm not sure how you could make the refresh an enforceable step in your acceptable usage policy, but I would certainly make your users aware of the issue.

The problem may well be something that you take into account when deciding to block social networks from your corporate network, but I think greater social network concerns are time wasting, data leakage, malware attacks and bullying.

You should, of course, be aware of the many other ways that Web browsing history is stored and accessible. First, there's the browser's address box, which presents previously typed addresses in a drop-down box. Ctrl+H brings up the browser's history panel that logs the date, time and Web address of every page visited. These features can be either handy or embarrassing, depending on who's watching over your shoulder. Thankfully, this data can be easily purged. With Internet Explorer, click on Tools, then Internet Options, then click the Delete Browsing History button. For Firefox users, click Tools then Options, select the Privacy tab and click the Clear Now button. Both browsers give you the option to clear your browsing history when closing them and delete all data that they may collect while you're browsing, such as cookies and saved form data. In IE 7 and 8, these actions now also delete the corresponding entries in the index.dat files, another store of browsing activities.

Note: If you're wondering how useful browser history data can be to an attacker, there's a website that can pretty accurately determine your gender just by analyzing your browser history. This site's just for fun, but the same data can just as easily be misused by an attacker.