Facebook Places, Foursquare, and common sense…
Ever since I first became aware of Foursquare I thought that it was a bad idea, and that it wouldn’t last long. Well I still think that it’s a really bad idea, but I was definitely wrong about how long it would last.
I have to wonder about people.
I know that security folk are more paranoid than most other people. I also know that comes with the territory, but who ever though that it would be a good idea to advertise where you are at any given point in time? Now Facebook has gone and launched Places, which does pretty much the same thing as Foursqaure.
Call me extremely paranoid, but when your average user publishes personal details on Facebook, such as their home address, where they work, their work and home e-mail addresses, photo’s of themselves and their family (sometimes including photo’s of their home and car), do they really need to let the world know exactly where they are at any given point?
I am also betting that it’s some of these very same people that tend to get all up in arms, when someone reads over their shoulder on the tube, or stands at their desk waiting for them to finish their phone call. The same people that will complain about having their privacy violated!
Now imagine the following scenarios:
1. You’ve just arrived at the office, so you decide to “check in” to one of these applications, so that everyone knows that you’re at work. You’ve also just given out the exact location of where you work. In some cases this can be a major risk, if you work in an unmarked building for example, where the location of the building is supposed to not be that easily known, well now everyone knows. This also lets any would be breaking and entering specialist know that you are now no longer at home, or that your wife and kids are now home alone.
2. You call in sick for the day, and forget that you happened to befriend your boss on Facebook, you then take a nice trip to some art gallery, or to a shopping mall to catch that newly released film, and you “check in” (Yes, I’ve seen this happen!). Then you’re all shocked when you get called into your bosses office because he knows that you weren’t really sick, you were out having fun on company time. I’ve got no problem with people taking a day off, but if you’re going to be stupid about it, then you deserve what you get.
3.From a social engineering perspective, this is amazing, as if I’m going to target someone working for a company, it means that I get to see where they hang out, what type of things that they’re into, when they’re in the office or out of the office. Picture this, the head of IT security is using Facebook Places, he checks in when he reaches the station on his way to work, then he updates his Twitter status to say that the train is running an hour late. This means that I now have the perfect opportunity to phone the company helpdesk, and impersonate him, and get my remote login password reset. Then voila, I have all the access that he does, I also know that I have about an hour to grab whatever information I please, before I need to log off. Once he gets into the office, he’ll have some password problems, phone the helpdesk and get it reset, and be none the wiser.
C’mon people, please all I’m asking for is that you have some common sense, if you need people to know where you’re going, let them know, don’t tell the whole world and his dog.