Vancouver-based computer technician Byron Ng, who likes to prod social networks for holes and other errors, stumbled across a way to learn more about Facebook users than you're supposed to be able to--prompting Facebook to suspend the Top Friends application late on Wednesday.
Until Facebook suspended the Top Friends app, created by Slide, anyone could browse partial profiles of anyone else on Facebook who had added Top Friends to their page. CNET News.com confirmed that the security hole exposed the birthdays, gender, and relationship status of strangers, including Facebook executives, the wife of Google co-founder Larry Page, and one profile that seemed to belong to Paris Hilton that used her middle name "Whitney."
Basically, the app was not obeying the privacy settings specified by the user, enabling anyone with the know-how to bypass the security once they obtained someone's Facebook ID number.
Less than six hours after CNET News.com contacted Facebook on Wednesday about the matter, the company decided to suspend the Top Friends app, meaning no one can use it, Ling said. The company is also conducting an ongoing investigation into the matter, he said.
Meanwhile, another third-party app that Ng disclosed a security hole in, Super Wall, was fixed. With Super Wall, which was created by RockYou, no personal data is revealed, but anyone could have viewed the Super Wall of any other user, even if they were not friends.
"Super Wall is respecting the privacy rules of the site," Ling said, adding that data created in the apps is not governed by the same privacy policies as user profile data.
Before the app was suspended, CNET News.com was able to use Top Friends to pull up profiles of Bobby Jindal, the Republican governor of Louisiana who's been talked about as John McCain's running mate; Facebook Chief Operating Officer Sheryl Sandberg; Jonathan Heiliger, Facebook's vice president of technical operations; and what is believed to be a page for Hilton.
Similar steps were taken to view the Super Wall pages for Sandberg, Facebook founder Mark Zuckerberg; Google executive Marissa Mayer; and Lucy Southworth, wife of Google founder Larry Page.
By accessing these pages it is easy to get the Facebook ID numbers for their friends and see their pages, as well.
Nothing on the Super Walls was all that juicy (who hasn't been annoyed by the "Click forward to see what happens" spam?), but the information revealed through Top Friends is sensitive and could have been used to commit identity theft if it landed in the wrong hands."Any Facebook user who adds an application to their profile is agreeing to give any of their personal information to the developer of that profile," Ng wrote in an e-mail after walking News.com through a demonstration of how to exploit the security holes. "Facebook has pretty low barriers of entry with regards to becoming a developer. You just need a Facebook account and to fill out some online forms."
It would be fairly easy for someone to create a new Facebook app that could be used to steal people's information, he said.
"Of course, it's against the Facebook terms of service for an application to store someone's personal information, but there's NO WAY for Facebook to verify compliance since Facebook applications run on PRIVATE THIRD-PARTY SERVERS, not on their own servers," Ng wrote.
Ng uncovered a way to snoop on strangers' SuperPoke pages a few weeks ago and Facebook promptly plugged it. He also exposed a hole in MySpace earlier this month that allowed people to see private photos of Hilton and her celebrity pal Lindsay Lohan, and currently there is an open hole in MySpace that allows anyone to create a discussion group and delete other peoples' bulletins, even if they are not the group leader, he said.
A MySpace representative said late Wednesday she was looking into the matter.
CNET News.com's Declan McCullagh contributed to this report.