Comments on: Facebook suspends app that permitted peephole

Holes in Facebook had allowed anyone to see your birthday, relationship status, gender, and other personal information on the Top Friends application.

[Steve Wonders]

"respecting the privacy rules of the site", that's an interesting point of view this. It seems Facebook is assuming that all developers will be honest and use the information correctly. At the very least that none of them will make any mistakes. Shouldn't Facebook be ENFORCING the policy by making sure outside developers can't get direct access like this?

The API that's returning usernames, etc without worrying about the users settings is the culprit and needs to be fixed, not just the code from the 2rd party developer.

Sounds like some more design and development from Facebook needs to be done. A system should be available, easy to use, etc., but that doesn't mean that security issues don't have to be addressed.

[FellowConspirator]

I've been fiddling with Facebook a bit. In order for you to use an app, you have to authorize it to be able to access your personal information. Actually, an astonishingly amount of information can be collected this way -- it's even possible to make the application automatically send messages and whatnot on your behalf. There's an app called "Likeness Quiz" on there, for instance, that propagates itself to your friends and collects information about the participants and their networks.

It's only a matter of time before someone uses this information for something sinister.

[livecrunch]

Not bad security hole but again its not like your privacy setting is something like Paris Hiltons phone number, or Larry Page SS# etc ..

-----------------------------------------------------------------------------
http://www.LiveCrunch.com

[cpeterka]

FACEBOOK should hire Byron, and for (oh, $200 K or more ) be able to sleep at night knowing that it is far less hackable.

Just My Opinion, and ... no, I don't kow Byron.

[Arbalest05]

ANYTHING that you enter into Facebook should be considered to be available to the public at large. Sure, measures will be taken to keep some of the information private, but inevitably those measures will fail (by accident or quite on purpose) and all info will be available to everyone. That is simply the nature of "social" websites.

[bridge solution]

The ap disappeared very late last night.
Indeed.
Recently, as i blogged about a little bit ago, fB has been allowing things far more insidious--lying ap bots.
http://bridgesolution.com/news/
If you don't have a FaceBook account, this may seem weird.
But it is, imho, a far worse risk factor no only for individuals, but for FB itself.

[theharmonyguy]

Um, much of this is actually old news... Ng just seems to have a way of making headlines with it. Top Friends data was accessible before they created their new profiles feature, it just didn't include as much personal information. Super Wall and SuperPoke? Those were first reported months ago. And Ng is not the first to point out Facebook's lack of enforcement ability.

Not to too my own horn, but see http://theharmonyguy.com/ for further discussion of such issues.

[lizsch]

ok so i understand the whole concern and crap like that....but are they going to get a new top friends thing???....cause it sucks having to look up my friends page or search them just to get to their profile...i could personally give a **** if people can see that stuff on my profile...because what are they gonna do? steal my idenity? yeah exactly my point...but whatever keep us posted if you get a new top friends thing! thanks very much

[slickn]

SERIOUSLY?

When people write articles about platforms, hacks, and security holes... well they need to actually know what they are talking about. No offense CNET, but you guys have done a horrible job so far. Go build a facebook app, know what FBML is, know the TOS and how the apps interact with the servers... otherwise not only are you reporting nonsense which isn't the truth, but now your misinforming people that don't know any better. The quality of "journalism"
shown here is pretty poor. You know all those "hacks" you (and web2.0 writers) have mentioned? If they are FBML pages and use fb:name they automatically follow privacy settings... hence the users names that show up as "Unknown" or "Private". Then you make the sweeping claim... its a "hack"; without even understanding what your talking about! Do the writers even know what fb:name or FBML is? Or for that matter the TOS for the apps and the TOS for their data?

Seriously being able to manipulate the URL by changing one number to another... thats not hacking, its changing a number!!!! Its usually either a known thing the devs use for QA and customer support or a bug - plain and simple. TF seemed to have changed a few things to make it so you couldn't get to others profiles in the last few weeks... so it does seem like a bug they just didnt notice. Did anyone try telling them so they could take it down? Probably not... i bet Ng dont get paid that way.

"It would be fairly easy for someone to create a new Facebook app that could be used to steal people's information, he said." WHAT?!?! First you can only query information from session key of the viewer. Congrats Ng... you can now steal your OWN friends information (btw, you could already see that). If its fairly easy to get an app that everyone has installed so you can truly get peoples information... well i challenge Ng to make a real app, get it on the top page. Also it seems facebook watches FQL load from apps... if your getting data you shouldnt be getting they will notice. If your slap Ng app is collecting location and interests info... that may be a giant flag for FB to check what your doing with it. (they do review the apps)

Seriously, people that understand how the platform works completely should be writing/co-writing this stuff... telling some half baked thoughts from what someone kind of said and saying its reliable is deceitful and misinforming the public.

Oh and cnet is right that the identity theft issue is serious... facebook should take down that social security number field and not display it on peoples profile when you put showsocial=1 in the URL.

[zephyrmycat]

wow do you really have this much time on your hands or is this your job?

[Timmah34]

Anyone stupid enough to put thier Social Security number, even if that field actually exists during sign up, deserves what they get.. you babbled on relentlessly in your post... this is a cnet expose... gear down abit...hahaha..
Facebook, MySpace... the scourge of the internet.. Props to the creators and the tons of cash they are making off their little meat markets.

Ng.. hmm you may want to get a life.. you troll social networking sites looking for security flaws.. rofl

[zephyrmycat]

you said it tim..he really babbled on and obvioulsy its all about money...but you cant knock em for tryin. it did work.

[Harrison912]

Since Safety and Security are my business, I'm glad FaceBook is investigating this.

[benjaminstraight]

Privacy should be the first priority.

[PretenderNX01]

If Facebook simply offered a "top friends" feature like MySpace does, there wouldn't be a need for this application.

Honestly- a few more customizable features and Facebook wouldn't need half the Apps that are quite common.

[chris120783]

"information revealed through Top Friends is sensitive and could have been used to commit identity theft if it landed in the wrong hands."

That's absurd! Who accepts a facebook profile as a form of identification? If not that, responding to the poster above, who the hell would put sensitive information, like a social security number, on a social networking site? That's just dumb!

[Puntogirlshavefun]

Byron Ng did not find this "hack" I did! I posted a video on Youtube days before this was "found" by Byron Ng!

Have a look for yourself!

http://www.youtube.com/watch?v=Iy0uhuiunqg

[private-internet]

Facebook is designed and architectured as a public service .. why will you be surprised when there are security holes? Privacy policies should be designed within the frame work of the service not as a user agreement :)

[mojojam]

One easy fix to this is to not enter your personal information. I've got my name in there and the school I went to in case friends want to find me. That's it. Even developers with the best intent on securing sensitive info will get hacked by dedicated hackers. Just because the TOS for developers say they have to protect sensitive information doesn't mean they will.