Facebook suspends app that permitted peephole
Vancouver-based computer technician Byron Ng, who likes to prod social networks for holes and other errors, stumbled across a way to learn more about Facebook users than you're supposed to be able to--prompting Facebook to suspend the Top Friends application late on Wednesday.
Until Facebook suspended the Top Friends app, created by Slide, anyone could browse partial profiles of anyone else on Facebook who had added Top Friends to their page. CNET News.com confirmed that the security hole exposed the birthdays, gender, and relationship status of strangers, including Facebook executives, the wife of Google co-founder Larry Page, and one profile that seemed to belong to Paris Hilton that used her middle name "Whitney."
Security holes in Facebook can be used to access peoples' personal information and view their friends and other activities if they are using the Top Friends or Super Wall apps. For instance, this screenshot shows the Top Friends of Facebook Chief Operating Officer Sheryl Sandberg. CNET News.com obscured her personal information.
(Credit: CNET News.com)Basically, the app was not obeying the privacy settings specified by the user, enabling anyone with the know-how to bypass the security once they obtained someone's Facebook ID number.
"We expect third-party apps to follow the rules the users set," Ben Ling, director of platform product management at Facebook, said in a phone interview Wednesday. "With Top Friends, the privacy settings of the user were not being respected according to the privacy policy terms of use."
Less than six hours after CNET News.com contacted Facebook on Wednesday about the matter, the company decided to suspend the Top Friends app, meaning no one can use it, Ling said. The company is also conducting an ongoing investigation into the matter, he said.
Meanwhile, another third-party app that Ng disclosed a security hole in, Super Wall, was fixed. With Super Wall, which was created by RockYou, no personal data is revealed, but anyone could have viewed the Super Wall of any other user, even if they were not friends.
"Super Wall is respecting the privacy rules of the site," Ling said, adding that data created in the apps is not governed by the same privacy policies as user profile data.
These are supposedly the Top Friends of Paris Hilton, who apparently listed herself using her middle name.
(Credit: CNET News.com)Before the app was suspended, CNET News.com was able to use Top Friends to pull up profiles of Bobby Jindal, the Republican governor of Louisiana who's been talked about as John McCain's running mate; Facebook Chief Operating Officer Sheryl Sandberg; Jonathan Heiliger, Facebook's vice president of technical operations; and what is believed to be a page for Hilton.
Similar steps were taken to view the Super Wall pages for Sandberg, Facebook founder Mark Zuckerberg; Google executive Marissa Mayer; and Lucy Southworth, wife of Google founder Larry Page.
By accessing these pages it is easy to get the Facebook ID numbers for their friends and see their pages, as well.
Nothing on the Super Walls was all that juicy (who hasn't been annoyed by the "Click forward to see what happens" spam?), but the information revealed through Top Friends is sensitive and could have been used to commit identity theft if it landed in the wrong hands.
"Any Facebook user who adds an application to their profile is agreeing to give any of their personal information to the developer of that profile," Ng wrote in an e-mail after walking News.com through a demonstration of how to exploit the security holes. "Facebook has pretty low barriers of entry with regards to becoming a developer. You just need a Facebook account and to fill out some online forms."
This screenshot shows the Super Wall of Facebook founder Mark Zuckerberg. News.com blacked out the names.
(Credit: CNET News.com)It would be fairly easy for someone to create a new Facebook app that could be used to steal people's information, he said.
"Of course, it's against the Facebook terms of service for an application to store someone's personal information, but there's NO WAY for Facebook to verify compliance since Facebook applications run on PRIVATE THIRD-PARTY SERVERS, not on their own servers," Ng wrote.
Ng uncovered a way to snoop on strangers' SuperPoke pages a few weeks ago and Facebook promptly plugged it. He also exposed a hole in MySpace earlier this month that allowed people to see private photos of Hilton and her celebrity pal Lindsay Lohan, and currently there is an open hole in MySpace that allows anyone to create a discussion group and delete other peoples' bulletins, even if they are not the group leader, he said.
A MySpace representative said late Wednesday she was looking into the matter.
CNET News.com's Declan McCullagh contributed to this report.
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service, and the Associated Press. E-mail Elinor. 
The API that's returning usernames, etc without worrying about the users settings is the culprit and needs to be fixed, not just the code from the 2rd party developer.
Sounds like some more design and development from Facebook needs to be done. A system should be available, easy to use, etc., but that doesn't mean that security issues don't have to be addressed.
It's only a matter of time before someone uses this information for something sinister.
-----------------------------------------------------------------------------
http://www.LiveCrunch.com
Just My Opinion, and ... no, I don't kow Byron.
Indeed.
Recently, as i blogged about a little bit ago, fB has been allowing things far more insidious--lying ap bots.
http://bridgesolution.com/news/
If you don't have a FaceBook account, this may seem weird.
But it is, imho, a far worse risk factor no only for individuals, but for FB itself.
Not to too my own horn, but see http://theharmonyguy.com/ for further discussion of such issues.
When people write articles about platforms, hacks, and security holes... well they need to actually know what they are talking about. No offense CNET, but you guys have done a horrible job so far. Go build a facebook app, know what FBML is, know the TOS and how the apps interact with the servers... otherwise not only are you reporting nonsense which isn't the truth, but now your misinforming people that don't know any better. The quality of "journalism"
shown here is pretty poor. You know all those "hacks" you (and web2.0 writers) have mentioned? If they are FBML pages and use fb:name they automatically follow privacy settings... hence the users names that show up as "Unknown" or "Private". Then you make the sweeping claim... its a "hack"; without even understanding what your talking about! Do the writers even know what fb:name or FBML is? Or for that matter the TOS for the apps and the TOS for their data?
Seriously being able to manipulate the URL by changing one number to another... thats not hacking, its changing a number!!!! Its usually either a known thing the devs use for QA and customer support or a bug - plain and simple. TF seemed to have changed a few things to make it so you couldn't get to others profiles in the last few weeks... so it does seem like a bug they just didnt notice. Did anyone try telling them so they could take it down? Probably not... i bet Ng dont get paid that way.
"It would be fairly easy for someone to create a new Facebook app that could be used to steal people's information, he said." WHAT?!?! First you can only query information from session key of the viewer. Congrats Ng... you can now steal your OWN friends information (btw, you could already see that). If its fairly easy to get an app that everyone has installed so you can truly get peoples information... well i challenge Ng to make a real app, get it on the top page. Also it seems facebook watches FQL load from apps... if your getting data you shouldnt be getting they will notice. If your slap Ng app is collecting location and interests info... that may be a giant flag for FB to check what your doing with it. (they do review the apps)
Seriously, people that understand how the platform works completely should be writing/co-writing this stuff... telling some half baked thoughts from what someone kind of said and saying its reliable is deceitful and misinforming the public.
Oh and cnet is right that the identity theft issue is serious... facebook should take down that social security number field and not display it on peoples profile when you put showsocial=1 in the URL.
Facebook, MySpace... the scourge of the internet.. Props to the creators and the tons of cash they are making off their little meat markets.
Ng.. hmm you may want to get a life.. you troll social networking sites looking for security flaws.. rofl
Honestly- a few more customizable features and Facebook wouldn't need half the Apps that are quite common.
That's absurd! Who accepts a facebook profile as a form of identification? If not that, responding to the poster above, who the hell would put sensitive information, like a social security number, on a social networking site? That's just dumb!
Have a look for yourself!
http://www.youtube.com/watch?v=Iy0uhuiunqg
- by mojojam September 7, 2008 1:01 PM PDT
- One easy fix to this is to not enter your personal information. I've got my name in there and the school I went to in case friends want to find me. That's it. Even developers with the best intent on securing sensitive info will get hacked by dedicated hackers. Just because the TOS for developers say they have to protect sensitive information doesn't mean they will.
- Like this Reply to this comment
-
(19 Comments)