Smaller, faster, more nimble, and better adapted to changes. These are just some of the qualities that many tech industry observers and analysts have historically ascribed to small start-ups. Well, you can add, ‘better at detecting and fixing security holes’ to the list. According to a statement by Jonathan Rudenberg, a developer and security researcher, Twitter and Facebook, as well as mobile payment app Venmo, missed a serious security hole in their systems which might have caused some major damage.
The security flaw was centered on a design issue which attackers can exploit Facebook, Twitter, and Venmo’s SMS system. Attackers can specify which phones a text message came from but the three social networking services don’t provide a verification system to ensure that the SMS info is authentic.
Attackers could have exploited this security hole by making fake status updates and mobile payments if these features were available on SMS.
Rudenberg published his experience contacting Twitter, Venmo, and Facebook regarding the exploit. He noted that while it took awhile for Twitter and Facebook to fix the problem, Venmo was much more nimble. Venmo responded the fastest. Since Venmo is quite a small outfit, Rudenberg encountered some difficulties trying to find its contact information. Once he got a hold of the company that bought out Venmo, Braintree, the company took only two days to shutdown its app feature for taking mobile payments via SMS. This is quite impressive considering the company doesn’t have a huge security staff tasked with detecting and fixing security breaches and vulnerabilities.
Twitter and Facebook, Rudenberg, reports took quite a bit longer. In fact, it took 101 days for the issue raised by Rudenberg to be resolved by Facebook. Twitter got around to fixing the issue finally after 107 days. What makes this even more shocking is the fact that these two big social networking companies have dedicated security groups. For Rudenberg’s security hole detection, he received a $500 bounty from Facebook.
Although Venmo’s fast response can be explained by the fact that there was a lot of money at stake (Venmo is a payment provider, after all), the long delay also showed the speedier nature of startups. It is a cautionary tale for larger companies. Good thing this didn’t blow up with serious security breaches because the media will have a field day at the expense of Facebook and Twitter.