While cruising around Digg today I found an entry about a site called Famster. It looked to be a great site to get your family located online. The service looked really promising from the outside and after signing up I thought that it might be something that I’d share with the rest of my family. Then, I discovered their security, or lack there of.
They use security by obscurity. If you are not familiar with that, it is basically this. I have Object A that has a link to Object B. In order to make Object B protected, I removed the link from Object A to Object B. So, now Object B is hidden. Well… sorta. If I still know the link to Object B, I can still access it. So is the case with Famster. But, if you guess on account name you could find other accounts on the site and exploit the security as well. Not very good security to me.
That’s just one of the issues that I had with this service. Another was that there is one administrator account and then the “member” (or family members) account. I really hate the idea of just two accounts, there is not accountability for actions on the system. Yes, you should be able to trust your family, but that is not the problem. It is the person who is not in the family who can silently access the site without you knowing who they are or what they are looking at. That really bothers me. We are in an age of technology where this is not a problem that should be occurring. It is not too much to ask to have family members have their own accoutns and own up to their actions on a system. At least I don’t think it’s too much to ask.
So, Famster, upon further inspection, your security is just not up to par. Your site looks great, but after 20 minutes of poking around on your site, I am terribly concerned with what I found. I don’t want to spend a lot more, because I’m afraid of what I might find.
Update @ 6:23pm: I’ve been informed that the issue of being able to access something that is private via a url has been fixed. However, I have been unable to verify this.