You Can't Patch a Social Network

What makes social networks successful is precisely the thing that makes them vulnerable to hackers: Trusting and sharing with others, sometimes even strangers. Now that they’re under attack from worms and malware, operators are trying to patch security loopholes. But it’s hard to fix the DNA without altering the nature of the organism.

Facebook, MySpace and Twitter have all come under attack in recent days. In Twitter’s case, hackers whose pages contained malware started following people; by checking out their profile, those followed were compromised. With Facebook, it was a worm that spread itself through profiles. “Most web sites will, at some point, need to deal with patching a security hole,” Facebook head of security Max Kelly noted on the site’s blog last night.

What if it’s a hole social sites can’t patch?

“Right now web platforms are going through the same learning experience…that binary software went through 15 years ago,” said Adam O’Donnell, director of emerging technologies for security firm Cloudmark. “Social networks are the new operating systems in the eyes of both attackers and end users.”

The trick is to get someone to look at infectious content in the first place. Once you do that, you can use fake codecs, browser vulnerabilities and other weaknesses to infect them. So attackers appeal to your curiosity: Everyone clings to the idea of an old schoolmate or long-lost lover, for example, so they check out profiles just in case.

It’s not just curiosity; vanity is also to blame. On Twitter, you want to know who’s following you; counting followers is like the microblogger version of counting yearbook signatures to see who’s popular. So you check out your followers’ profiles, and you’re infected. Now the malware can change your content online so you, in turn, become a tool for the attackers.

The problem is that curiosity and vanity are the basis of social networking. They drive the user count — and valuations — of these companies. Site operators want to capture as many users as they can, so they have to make it easy to approach people, to let us both befriend and follow strangers.

To properly address some of these security issues, social networking sites need to change not only the technology, but some of the fundamentals of their business. And you can’t easily patch a business model.