I ran across this site Nextdoor.com, it is another social media site with one difference. “Nextdoor is the private social network for you, your neighbors and your community. It's the easiest way for you and your neighbors to talk online and make all of your lives better in the real world.” The idea is that only people in your real neighborhood can join. Out of curiosity I started looking around the demo site and started to think, this sounds like a terrible idea.
However, in my opinion this starts to go wrong very fast. A quick Google of site: nextdoor.com already starts to produce some interesting results. The first and second page reports results such as the West Briar, Pointe Marin, Covie Hill and Bent Creek. Clicking these links will take you to a login page where you can get a little more information about the neighborhood, such as the city, state and an outlined map of the neighborhood.
Figure 1
Figure
2
The next step is an address verification page. The site
requires either a credit card for checking the billing address, a mobile number
they can call or they can send you a postcard in the mail. I won’t get into the
other worries that some of those options might cause, but it looks like they
are trying hard to protect the people using the site, but is that enough? And can it be easily circumvented?
What if someone simply gets into a valid account, (we don’t
care about how at this moment it happens every day to many sites.) could an
attacker use any of the data or information to their advantage. The demo site
shows us that there is a lot of information ripe for the picking.
The site is a standard social media site. You have maps, an
inbox, events and a neighbor’s button, the exception here is the site really wants your physical data as well and it becomes a data gatherers dream. Clicking on a
user shows some useful information, obviously it is up to the user on what to
display. With the data in figure 3 an
attacker could start looking to impersonate that person, or use the data to gain
access other accounts via password resets or challenge questions like “what is
your dog’s name, what is your oldest child’s name”
Figure
3
Figure 4
This example on the demo site shows a user asking for a baby
sitter from 4-10 pm, and other users posting phone numbers to great baby
sitters. This of course is incredibly helpful for the person needing the
sitter. But, what does it tell the bad guys? Mom or Dad won’t be home from
4-10, the name and number of the babysitter, the kids are older most likely
between the ages 7-12. That information could be valuable to any person who
wants to use it to their advantage. Did
this home just become a possible target for a personal attack, a robbery, an
angry boyfriend of the babysitter, or that creepy person down the street that
nobody talks to?
It is your job to decide if this information is secure, and
okay for display to the public. No matter what the claims of privacy there are, assume someone you don’t want seeing this information will see it. Above all else protect your family and
yourself, and maybe just maybe actually go outside and talk to your neighbors.
Finally, another important item to consider when signing up for this type of
site is: Do they care about security? In looking at the current job posting
they are hiring a lot of developers and none of the requirements of any of
those posted are for “secure coding practices”.
Hopefully, that is asked during the interview process.