Doh! NYU Student’s Anti-Facebook Project, Diaspora, Full of Security Holes

diaspora boys Doh! NYU Students Anti Facebook Project, Diaspora, Full of Security HolesDiaspora was supposed to be the anti-Facebook. Back in May, when the public fury against Facebook and Mark Zuckerberg was frothing over in the mainstream media, a group of four idealistic nerds from NYU decided to build an alternative social network, one that gave users total control over their information. Power to the people! To finance the effort, which they named Diaspora, they started a project on the New York based funding site, Kickstarter. The crew set a goal of $10,000, but following some glowing press in the New York Times, managed to raise over $200,000 instead.

Summer turned to fall and the Facebook furor died down. The boys got to enjoy their celebrity, hanging out at the Mozilla office in the Bay and taking some R&R at Burning Man. Wednesday Diaspora announced their developer release to the public. The reaction has been less than stellar. “Hackers began identifying flaws they said could seriously compromise the security of those who used it. Among other things, the mistakes make it possible to hijack accounts, friend users without their permission, and delete their photos,” reported The Register.

To be fair, this was not a public release, and the Diaspora team noted on their blog that, “We know there are security holes and bugs, and your data is not yet fully exportable. If you do find something, be sure to log it in our bugtracker, and we would love screenshots and browser info.” But because the project is open source and freely distributed, reports started coming in of people experimenting with the service. “Don’t host it publicly. Don’t invite people to do either. It is screamingly unsafe,” tweeted the software developer Patricl McKenzie.

Really this is more of a PR crisis than a security concern. The more people that pay attention to the code now, the safer the site will be when it launches to consumers in October. But for a project that was supposed to be about helping users gain control over their data, huge security holes were a stumble right out of the gate.