Famster… Upon Further Inspection

While cruising around Digg today I found an entry about a site called Famster. It looked to be a great site to get your family located online. The service looked really promising from the outside and after signing up I thought that it might be something that I’d share with the rest of my family. Then, I discovered their security, or lack there of.

They use security by obscurity. If you are not familiar with that, it is basically this. I have Object A that has a link to Object B. In order to make Object B protected, I removed the link from Object A to Object B. So, now Object B is hidden. Well… sorta. If I still know the link to Object B, I can still access it. So is the case with Famster. But, if you guess on account name you could find other accounts on the site and exploit the security as well. Not very good security to me.

That’s just one of the issues that I had with this service. Another was that there is one administrator account and then the “member” (or family members) account. I really hate the idea of just two accounts, there is not accountability for actions on the system. Yes, you should be able to trust your family, but that is not the problem. It is the person who is not in the family who can silently access the site without you knowing who they are or what they are looking at. That really bothers me. We are in an age of technology where this is not a problem that should be occurring. It is not too much to ask to have family members have their own accoutns and own up to their actions on a system. At least I don’t think it’s too much to ask.

So, Famster, upon further inspection, your security is just not up to par. Your site looks great, but after 20 minutes of poking around on your site, I am terribly concerned with what I found. I don’t want to spend a lot more, because I’m afraid of what I might find.

Update @ 6:23pm: I’ve been informed that the issue of being able to access something that is private via a url has been fixed. However, I have been unable to verify this.

5 thoughts on “Famster… Upon Further Inspection”

  1. Reminds me of my senior year in high school, around the birth of the idea of putting grades online…. You were able to view other students progress reports if you knew the teacher’s and student’s name by placing them in the right spot in the URL. Also, here was the *best* part… Grades were password protected, if you entered in someone’s name in the login field with no password or something made up, when it loaded the ‘failed login’ page, if you viewed the html source you would get that user’s password right in the source, plain text, as it ran a javascript comparison right in the browser!!!!

  2. Oh sucks, how disappointing. Yeah I was really excited checking it out today. And it’s ironic how much they headline their security. In any case, the last thing you need is having PII like mother’s maiden names and birthdates not properly protected.

    What a pity, their family tree visualization looked so fun. :/

Leave a Reply

Your email address will not be published. Required fields are marked *