Alert raised over Diaspora security

We were warned that open-source Facebook alternative Diaspora had a few security problems, but the true scale of the issue is rapidly becoming apparent.

Following the release of the source code for the Diaspora social networking platform, hackers and tinkerers the world over have been poring over the code in order to improve, enhance, and otherwise help the project in its attempt to unsettle closed-source privacy-hating Facebook.

Sadly, the current opinion is that the code just isn't up to scratch. While the team clearly stated that "we know there are security holes and bugs" in the code that was released, it's possible that they weren't aware of just how many show-stopping issues there are - issues which make it hard to recommend that you roll your own Diaspora server just yet.

Following the announcement of the code release, hackers over on Y-Combinator started to analyse the source - and discovered some major shortcomings.

Y-Combinator commenter patio11 is one of the more strident members to voice his concerns, stating that "there are several vulnerabilities in Diaspora right now [that] allow very bad things," but refraining from detailing the exact nature of the problems as "there are multiple public Diaspora installations, [and] they are all vulnerable."

Since those comments, multiple issues have been logged on the projects github repository, and while many are minor problems or issues like "Facebook has a majority share," there are a selection of security flaws detailed in the 115 open tickets - including the ability to inject arbitrary HTML code into comments.

For obvious reasons, more serious issues are kept out of the public eye and are instead reported to the project privately on the dedicated exploits[at] e-mail address.

While the team, plus the volunteers who have discovered the flaws, are working to resolve the issues, it's clear that anyone currently running a public Diaspora test server might want to pull the plug - at least until the next release.