StudiVZ is one of the top searches at Technorati today
and some people who visited this blog have asked for a short English summary because most blogs about StudiVZ are in German.
Here is a short summary about what has happend in the last few days.
As brief as a German can be :-)
- StudiVZ is some kind of a German Facebook clone, a social community for students which has according to its own blog statement over one million users in november 2006
- StudiVZ received the "Online Star 2006", an award for the best social network website and startup
- Since its beginning the StudiVZ server could not cope with the growing community and had a history of poor performance and unavailability
- One of the founders and figure heads of StudiVZ got some bad reputation on the Net because he designed a birthday invitation with Nazi symbols and shot some questionable videos (can be found on youtube) where he tried to hit on some girls in a subway and in a bathroom that let him look like an immature nerd. This together with his arrogant behaviour against criticism resulted in some kind of a deadly combination.
- The arrogance of StudiVZ against its critics and its strategy of denial of its own problems has led some blogs (Don Alfonso with his Blogbar has some kind of a leadership) to disclose a lot more information about the problems within StudiVZ.
- The discussion reached a peak (and moved on from the blogs to the classical news media) when Blogbar discovered a closed group of about 700 male people who regularly held "beauty contests" about the female members of StudiVZ. To be able to do that, they used protected private information from the StudiVZ website which quickly led to complaints and stalking issues.
- But the real public disgust started after it became public, that this stalker-group was reported to the technical staff of StudiVZ, which instead of shutting it down, asked for membership for themselves and also for one of the founders of StudiVZ.
- After StudiVZ was hit by a XSS worm attack (cross site scripting) which posted the logins/passwords of several users to a public information page within studivz and some passwords of studivz support members became visible, the site went totally down for several hours on November, 27th. Later the potential creator of the worm stated that no real harm was done, because it was just a "proof of concept" worm.
- It was disclosed that StudiVZ stored all of its pictures publicly available (even those pictures that are marked private), the only protection being some random, 'not guessable' URL. This is nothing but "security by obscurity", because the only protection is the secret algorithm that generates this "unguessable" URLs and that it remains secret.
- StudiVZ confirmed that they had to go down because of an attack, but claimed that all errors were fixed and that the security system of StudiVZ is one of the most advanced and as secure as the "ec-Kartensystem" (the German/European ATM-cards). Well, after this statement, nearly everyone tried to proof them wrong and it only just took two days until someome discovered that the "secret algorithm" was just some simple calculation formula.
- And then the hell broke lose at StudiVZ. New security bugs where found almost every hour (and some where fixed shortly after they were disclosed), the site went down for hours, then up again, with errors fixed, then down again, then up, then previosly fixed security bugs were open again.... it now looks like they desperately try to fix the most obvious security bugs within a software, that seems to be "insecure by design" and violates the most basic rules of web application security.
- to be continued maybe sometime later ...
Geschrieben von af in am: Mittwoch, 29. November 2006
Nächster Artikel: StudiVZ: Short Summary in English
Vorheriger Artikel: StudiVZ: Security by Obscurity (Update)