Facebook suspends app that permitted peephole

Vancouver-based computer technician Byron Ng, who likes to prod social networks for holes and other errors, stumbled across a way to learn more about Facebook users than you're supposed to be able to--prompting Facebook to suspend the Top Friends application late on Wednesday.

Until Facebook suspended the Top Friends app, created by Slide, anyone could browse partial profiles of anyone else on Facebook who had added Top Friends to their page. CNET News.com confirmed that the security hole exposed the birthdays, gender, and relationship status of strangers, including Facebook executives, the wife of Google co-founder Larry Page, and one profile that seemed to belong to Paris Hilton that used her middle name "Whitney."

Security holes in Facebook can be used to access peoples' personal information and view their friends and other activities if they are using the Top Friends or Super Wall apps. For instance, this screenshot shows the Top Friends of Facebook Chief Operating Officer Sheryl Sandberg. CNET News.com obscured her personal information.

(Credit: CNET News.com)

Basically, the app was not obeying the privacy settings specified by the user, enabling anyone with the know-how to bypass the security once they obtained someone's Facebook ID number.

"We expect third-party apps to follow the rules the users set," Ben Ling, director of platform product management at Facebook, said in a phone interview Wednesday. "With Top Friends, the privacy settings of the user were not being respected according to the privacy policy terms of use."

Less than six hours after CNET News.com contacted Facebook on Wednesday about the matter, the company decided to suspend the Top Friends app, meaning no one can use it, Ling said. The company is also conducting an ongoing investigation into the matter, he said.

Meanwhile, another third-party app that Ng disclosed a security hole in, Super Wall, was fixed. With Super Wall, which was created by RockYou, no personal data is revealed, but anyone could have viewed the Super Wall of any other user, even if they were not friends.

"Super Wall is respecting the privacy rules of the site," Ling said, adding that data created in the apps is not governed by the same privacy policies as user profile data.

These are supposedly the Top Friends of Paris Hilton, who apparently listed herself using her middle name.

(Credit: CNET News.com)

Before the app was suspended, CNET News.com was able to use Top Friends to pull up profiles of Bobby Jindal, the Republican governor of Louisiana who's been talked about as John McCain's running mate; Facebook Chief Operating Officer Sheryl Sandberg; Jonathan Heiliger, Facebook's vice president of technical operations; and what is believed to be a page for Hilton.

Similar steps were taken to view the Super Wall pages for Sandberg, Facebook founder Mark Zuckerberg; Google executive Marissa Mayer; and Lucy Southworth, wife of Google founder Larry Page.

By accessing these pages it is easy to get the Facebook ID numbers for their friends and see their pages, as well.

Nothing on the Super Walls was all that juicy (who hasn't been annoyed by the "Click forward to see what happens" spam?), but the information revealed through Top Friends is sensitive and could have been used to commit identity theft if it landed in the wrong hands.

"Any Facebook user who adds an application to their profile is agreeing to give any of their personal information to the developer of that profile," Ng wrote in an e-mail after walking News.com through a demonstration of how to exploit the security holes. "Facebook has pretty low barriers of entry with regards to becoming a developer. You just need a Facebook account and to fill out some online forms."

This screenshot shows the Super Wall of Facebook founder Mark Zuckerberg. News.com blacked out the names.

(Credit: CNET News.com)

It would be fairly easy for someone to create a new Facebook app that could be used to steal people's information, he said.

"Of course, it's against the Facebook terms of service for an application to store someone's personal information, but there's NO WAY for Facebook to verify compliance since Facebook applications run on PRIVATE THIRD-PARTY SERVERS, not on their own servers," Ng wrote.

Ng uncovered a way to snoop on strangers' SuperPoke pages a few weeks ago and Facebook promptly plugged it. He also exposed a hole in MySpace earlier this month that allowed people to see private photos of Hilton and her celebrity pal Lindsay Lohan, and currently there is an open hole in MySpace that allows anyone to create a discussion group and delete other peoples' bulletins, even if they are not the group leader, he said.

A MySpace representative said late Wednesday she was looking into the matter.

CNET News.com's Declan McCullagh contributed to this report.

[Steve Wonders]

"respecting the privacy rules of the site", that's an interesting point of view this. It seems Facebook is assuming that all developers will be honest and use the information correctly. At the very least that none of them will make any mistakes. Shouldn't Facebook be ENFORCING the policy by making sure outside developers can't get direct access like this?

The API that's returning usernames, etc without worrying about the users settings is the culprit and needs to be fixed, not just the code from the 2rd party developer.

Sounds like some more design and development from Facebook needs to be done. A system should be available, easy to use, etc., but that doesn't mean that security issues don't have to be addressed.

[FellowConspirator]

I've been fiddling with Facebook a bit. In order for you to use an app, you have to authorize it to be able to access your personal information. Actually, an astonishingly amount of information can be collected this way -- it's even possible to make the application automatically send messages and whatnot on your behalf. There's an app called "Likeness Quiz" on there, for instance, that propagates itself to your friends and collects information about the participants and their networks.

It's only a matter of time before someone uses this information for something sinister.

[livecrunch]

Not bad security hole but again its not like your privacy setting is something like Paris Hiltons phone number, or Larry Page SS# etc ..

-----------------------------------------------------------------------------
http://www.LiveCrunch.com

[cpeterka]

FACEBOOK should hire Byron, and for (oh, $200 K or more ) be able to sleep at night knowing that it is far less hackable.

Just My Opinion, and ... no, I don't kow Byron.

[Arbalest05]

ANYTHING that you enter into Facebook should be considered to be available to the public at large. Sure, measures will be taken to keep some of the information private, but inevitably those measures will fail (by accident or quite on purpose) and all info will be available to everyone. That is simply the nature of "social" websites.

[bridge solution]

The ap disappeared very late last night.
Indeed.
Recently, as i blogged about a little bit ago, fB has been allowing things far more insidious--lying ap bots.
http://bridgesolution.com/news/
If you don't have a FaceBook account, this may seem weird.
But it is, imho, a far worse risk factor no only for individuals, but for FB itself.

[theharmonyguy]

Um, much of this is actually old news... Ng just seems to have a way of making headlines with it. Top Friends data was accessible before they created their new profiles feature, it just didn't include as much personal information. Super Wall and SuperPoke? Those were first reported months ago. And Ng is not the first to point out Facebook's lack of enforcement ability.

Not to too my own horn, but see http://theharmonyguy.com/ for further discussion of such issues.

[lizsch]

ok so i understand the whole concern and crap like that....but are they going to get a new top friends thing???....cause it sucks having to look up my friends page or search them just to get to their profile...i could personally give a **** if people can see that stuff on my profile...because what are they gonna do? steal my idenity? yeah exactly my point...but whatever keep us posted if you get a new top friends thing! thanks very much

[slickn]

SERIOUSLY?

When people write articles about platforms, hacks, and security holes... well they need to actually know what they are talking about. No offense CNET, but you guys have done a horrible job so far. Go build a facebook app, know what FBML is, know the TOS and how the apps interact with the servers... otherwise not only are you reporting nonsense which isn't the truth, but now your misinforming people that don't know any better. The quality of "journalism"
shown here is pretty poor. You know all those "hacks" you (and web2.0 writers) have mentioned? If they are FBML pages and use fb:name they automatically follow privacy settings... hence the users names that show up as "Unknown" or "Private". Then you make the sweeping claim... its a "hack"; without even understanding what your talking about! Do the writers even know what fb:name or FBML is? Or for that matter the TOS for the apps and the TOS for their data?

Seriously being able to manipulate the URL by changing one number to another... thats not hacking, its changing a number!!!! Its usually either a known thing the devs use for QA and customer support or a bug - plain and simple. TF seemed to have changed a few things to make it so you couldn't get to others profiles in the last few weeks... so it does seem like a bug they just didnt notice. Did anyone try telling them so they could take it down? Probably not... i bet Ng dont get paid that way.

"It would be fairly easy for someone to create a new Facebook app that could be used to steal people's information, he said." WHAT?!?! First you can only query information from session key of the viewer. Congrats Ng... you can now steal your OWN friends information (btw, you could already see that). If its fairly easy to get an app that everyone has installed so you can truly get peoples information... well i challenge Ng to make a real app, get it on the top page. Also it seems facebook watches FQL load from apps... if your getting data you shouldnt be getting they will notice. If your slap Ng app is collecting location and interests info... that may be a giant flag for FB to check what your doing with it. (they do review the apps)

Seriously, people that understand how the platform works completely should be writing/co-writing this stuff... telling some half baked thoughts from what someone kind of said and saying its reliable is deceitful and misinforming the public.

Oh and cnet is right that the identity theft issue is serious... facebook should take down that social security number field and not display it on peoples profile when you put showsocial=1 in the URL.

[zephyrmycat]

wow do you really have this much time on your hands or is this your job?

[Timmah34]

Anyone stupid enough to put thier Social Security number, even if that field actually exists during sign up, deserves what they get.. you babbled on relentlessly in your post... this is a cnet expose... gear down abit...hahaha..
Facebook, MySpace... the scourge of the internet.. Props to the creators and the tons of cash they are making off their little meat markets.

Ng.. hmm you may want to get a life.. you troll social networking sites looking for security flaws.. rofl

[zephyrmycat]

you said it tim..he really babbled on and obvioulsy its all about money...but you cant knock em for tryin. it did work.

[Harrison912]

Since Safety and Security are my business, I'm glad FaceBook is investigating this.

[benjaminstraight]

Privacy should be the first priority.

[PretenderNX01]

If Facebook simply offered a "top friends" feature like MySpace does, there wouldn't be a need for this application.

Honestly- a few more customizable features and Facebook wouldn't need half the Apps that are quite common.

[chris120783]

"information revealed through Top Friends is sensitive and could have been used to commit identity theft if it landed in the wrong hands."

That's absurd! Who accepts a facebook profile as a form of identification? If not that, responding to the poster above, who the hell would put sensitive information, like a social security number, on a social networking site? That's just dumb!

[Puntogirlshavefun]

Byron Ng did not find this "hack" I did! I posted a video on Youtube days before this was "found" by Byron Ng!

Have a look for yourself!

http://www.youtube.com/watch?v=Iy0uhuiunqg

[private-internet]

Facebook is designed and architectured as a public service .. why will you be surprised when there are security holes? Privacy policies should be designed within the frame work of the service not as a user agreement :)

[mojojam]

One easy fix to this is to not enter your personal information. I've got my name in there and the school I went to in case friends want to find me. That's it. Even developers with the best intent on securing sensitive info will get hacked by dedicated hackers. Just because the TOS for developers say they have to protect sensitive information doesn't mean they will.