Hackers have turned their attention to Facebook's hundreds of independent applications. The results are not terribly surprising, but do not tell a good tale: app developers don't seem to know a thing about basic security, and are putting private user information at risk. As a result, malicious hackers are able to access and change what should be private user data managed by the application providers.
Just a few months after this blog brought you exclusive news of privacy problems in Facebook's application system, we are now already seeing the consequences of Facebook's decision to pass the buck on on application security and privacy. Facebook shares user data with a large number of third-party application developers (without user consent), who then leave the data open to hackers due to nonexistent security and privacy protections. We at Surveillance State would be lying if we said we didn't see this coming.
Third-party developers
As I mentioned in a blog post back in January, Facebook permits application developers to get access to large amounts of sensitive data, all without clear user consent. Simply put, whenever a user installs a Facebook app, the developers of that application get access to data on every person who that user is Facebook 'friends' with, as well as most of the people in that user's network. While Facebook makes it perfectly clear when users install an application that developers will get access to their data, it doesn't do anything at all to warn users that the same data sharing occurs when their friends install apps.
Facebook has its legal bases covered though, as its Terms of Service clearly state that the company is in no way responsible for anything that the developers do with user data. It further notes that the company does nothing at all to verify that developers are doing anything at all to protect user data, or that they are not storing data beyond the time needed to process the application request (a strict no-no). The terms of service state:
"[each application] has not been approved, endorsed, or reviewed in any manner by Facebook...we are not responsible for...the privacy practices or other policies of the Developer. YOU USE SUCH DEVELOPER APPLICATIONS AT YOUR OWN RISK."
Flaws in apps, users at risk
According to a recent article in 2600, the Hacker Quarterly, many popular Facebook applications are vulnerable to trivial attacks, which permit a nefarious person to both set and read the data associated with that app. The 2600 article uses apps Moods, Free Gifts, and Super Wall to prove its point.
Quite simply, the developers have no authentication mechanism in place on their own servers when processing queries issued by a Facebook application. The developers rely instead, on the Facebook app itself playing by the rules. A nefarious hacker merely needs to intercept the Web request issued by the app, and replace his/her own Facebook ID with that of a potential victim.
While the 2600 article is not online, a reader of the Consumerist blog summarized it online:
In all three of those applications, User A can very easily modify User B's data by intercepting a form and modifying the uid (Facebook user ID) before transmission. In addition, with some applications, User A can gain access to stored application data (e.g. history, etc.) for any User B, whether they are friends or not. Such applications blindly trust form data that can easily be tampered with, which is very clearly a bad idea.
The Moods application allows unauthorized users to view the mood histories of non-friends, and with Firebug, anyone with the app can intercept their own mood change form before submitting it, change the uid in the form, and change someone else's mood.
Super Wall has a similar vulnerability that allows someone to intercept the form in a similar way and spoof messages from ANYONE to ANYONE (even a non-friend) just by changing the to and from uid's.
This is not rocket science, but far closer to computer security 101. Microsoft's Larry Osterman has written about these kinds of flaws on his own blog, describing his effort to educate Microsoft's programmers:
It takes a special mindset to think like a bad guy. Not everyone can switch into that mindset. For instance, I can't think of the number of times I had to tell developers on my team "It doesn't matter that you've checked the value on the client, you still need to check it on the server because the client that's talking to your server might not be your code."
On Wednesday, I spoke with Adrienne Felt, the University of Virginia researcher whose report first highlighted the excessive and dangerous data sharing that happens between Facebook and its Application developers. When asked for her thoughts on the lack of authentication and security at major Facebook apps, Adrienne told me that, "sadly i am not surprised at all" as "apps are written by people who just barely know anything about coding."
For those of you interested in learning more, someone has taken the time to record a screencast of the attack in action. All that's needed is a Facebook account, the Firefox browser, and the Firebug browser add-on.
Facebook launched a bunch of new privacy controls today, and has received a significant amount of positive press as a result. The praise is perhaps not so deserving--as the new privacy controls can be easily evaded.
The new privacy settings allow users to customize which friends can view specific details in their own profile. Users can lock down specific bits of information to their friends, friends of friends, or even particular individuals.
Facebook's new privacy controls
There is, however, a significant design flaw present in this new feature. Facebook users can select which types of strangers can view their profile. That is, a student at Stanford University can decide to allow other undergrads to view their profile, while specifically forbidding staff and professors who have not been made a friend from viewing it.
This sounds like a great idea, and should be a significant benefit to those students who find that their Facebook-advertised parties were busted by police who found out about the events through the social-networking site.
The primary problem is that Facebook has no way of determining what someone's university status is. The company is only able to verify that the user has a valid .edu e-mail address, which could mean that the person is a student, staff member, professor, or alumni. As a result, Facebook asks users to self-report this information.
Given an example situation where a student doesn't wish for the Facebook-using professors at their university to be able to view their profile, it would be trivially easy for a professor to log in, and change his or her own status to that of an undergrad.
To test this out, I changed my own status at Indiana University to that of an undergrad, a staff member, and an alumni before switching back to being a graduate student. Facebook's system didn't complain once, and I was able to verify that the updated status was indeed reflected on my own profile.
Changing status in Facebook
This is a fairly significant security flaw in Facebook's fancy new privacy controls, and frankly, there isn't too much the company can do to fix it. In the real world, it's perfectly possible for an administrative staff member to go back to school (and thus become an undergrad), or for a grad student to become a professor. The status controls need to be modifiable.
At least under the old controls, Facebook users (in theory) knew that their profiles could, by default, be viewed by any other Facebook user at the same university. This new system provides little in the way of real additional protection, yet may give users a false sense of security, leading the millions of users to post even more stupid and embarrassing things to the site than they currently do.
I spoke with a Facebook spokesperson shortly before press time, who told me that she could not comment on the specific issues I raised.
Disclosure: I am a part-time technology policy fellow at the Electronic Privacy Information Center, where one of my projects involves social-networking privacy issues.
Facebook is no stranger to the complaints of privacy activists. First, it was the site's News Feed feature back in 2006. Most recently, the company's Beacon service drew widespread criticism. This blog post will outline yet another major privacy issue, in which Facebook recklessly exposes user data.
Facebook launched its widely popular application developer program back in May 2007. As of press time, there were more than 14,000 applications. Some, including most of the popular apps, are made by companies, while a few of the popular apps, and a significant number of the long tail of the less popular applications are made by individual developers.
But a new study suggests there may be a bigger problem with the applications. Many are given access to far more personal data than they need to in order to run, including data on users who never even signed up for the application. Not only does Facebook enable this, but it does little to warn users that it is even happening, and of the risk that a rogue application developer can pose.
Privacy problems for the user
In order to install an application, a Facebook user must first agree to "allow this application to...know who I am and access my information." Users not willing to permit the application access to all kinds of data from their profile cannot install it onto their Facebook page.
Screenshot of adding an application
(Credit: Facebook)What kind of information does Facebook give the application developer access to? Practically everything. According to the Application Terms of Service,
... Read more
- prev
- 1
- next
