Facebook Hacked Again
A report on BBC's technology program, Click, has exposed yet another security flaw in Facebook - one that could comprise users' privacy. This particular hack involves using a Facebook application to steal a users personal information - and the information of all their friends - without the user's knowledge.
The hack exposed by the BBC involves an application that, once added by an unsuspecting user, sends the hacker all that person's personal details and those of their friends in a formatted list. The details sent include things like full name, hometown, date of birth, and employer. BBC reporter, Spencer Kelly, notes that while this information on its own isn't enough to steal someone's identity, it certainly would help.
It's possible for a malicious Facebook application, like the one used in the news story, to masquerade as a game or a quiz. And unlike protecting yourself from phishing emails, it's not simply good enough for you to "know better" yourself - if even one of your friends installs the app, your details get stolen too.
Despite the severity of this potential hack, stories like this one are old news in the realm of those who follow social network hacking trends.
For example, white hat hacker "theharmonyguy," wrote on his blog Social Hacking back in March about an app he submitted to social media instructor, Lee Aase's, $100 hacking challenge. His app, once installed, would grab any available information from a private Facebook group. The app didn't win the challenge, however, since it required action on the part of the user to be successful.
However, theharmonyguy points out that although Facebook has a Terms of Use that restricts applications from storing most user data, "there is not a practical way for Facebook to enforce or even completely audit this requirement." And since these applications are third party code, they are essentially running on the honor system.
Facebook, especially, has been plagued by security lapses as of late, with the AP reporting news about a security exploit that exposed private photos on the site back in March. However as one of our own commenters pointed out, this hack was known as early as February, it just took the AP's coverage to bring attention to the matter.
Then there was a story in January about Facebook app Secret Crush that downloaded and installed spyware to your computer. However, it's not just Facebook under the gun - back in November, TechCrunch reported on an OpenSocial hack, this one involving the RockYou and Plaxo.
Reading these types of stories remind us that our security on these networks are in the hands of unknown developers, not just the sites themselves - developers who may be more concerned with getting their apps completed and installed than they are with security.
Facebook's response to this latest BBC story is that they have "an entire investigations team that watches the site and removes content and third-party applications that violate Facebook's Terms of Use." However, they advise users to "employ the same precautions while downloading software from Facebook applications that they use when downloading software on their desktop."
In other words, your security is left to the tech-savviness of you and your friends. (Considering my years in I.T./end user support, that's a frightening concept. Many users aren't smart, savvy, or careful when online.)
Even worse, if you do become a victim of an attack, good luck getting support from Facebook on dealing with it. As Lauren Cooney reports after her account was compromised to send out spam, she emailed the Facebook team several times, and spent the better part of an hour trying to track down a customer service number to no avail, noting "you would think that a company that collects that much data on their users would consider having a customer service number." In the end, it was nine hours before she received an email response.
What this means for the average social networker is that we need to be very careful on these networks, and should not entirely rely on them to keep us safe. If there's really a photo you don't want certain people to see, maybe it's best to keep it offline forever. We also need to be vigilante about the applications we install, on Facebook and elsewhere, and take the time to educate our friends to do the same.
Comments
Subscribe to comments for this post OR Subscribe to comments for all ReadWriteWeb posts
The BBC story highlights an inherent aspect of Facebook's Platform that makes development easy but allows for such hacks. Facebook has taken steps in their architecture to address other potential issues (ones that plagued the early versions of OpenSocial, thus allowing for the RockYou hack), but this one remains questionable. Another good resource on the subject is Adrienne Felt's work, where she also offers a potential solution.
As I've said before, these issues don't mean we should never use any social networking applications (any technology is susceptible to hacking), but we do need to raise user awareness, which is exactly what the BBC is doing. And thanks for credits in your article.
Posted by: theharmonyguy | May 1, 2008 1:32 PM
Sarah, I've seen longer and more complicated articles written that don't put this simple truth anywhere as neatly as you do here: developers may be more concerned with getting their apps completed and installed than with getting the security right.
(One more reason to blog, just so I could link to that simple smart sentence). I'm fairly educated about security -- but this is somewhat new ground; do you have suggestions for other reading on how we vet applications?
Thanks for a thoughtful, helpful read.
Posted by: Merredith | May 1, 2008 1:45 PM
Sarah, I've seen longer and more complicated articles written that don't put this simple truth anywhere as neatly as you do here: developers may be more concerned with getting their apps completed and installed than with getting the security right.
(One more reason to blog, just so I could link to that simple smart sentence). I'm fairly educated about security -- but this is somewhat new ground; do you have suggestions for other reading on how we vet applications?
Thanks for a thoughtful, helpful read.
Posted by: Merredith | May 1, 2008 1:46 PM
Sarah, I've seen longer and more complicated articles written that don't put this simple truth anywhere as neatly as you do here: developers may be more concerned with getting their apps completed and installed than with getting the security right.
(One more reason to blog, just so I could link to that simple smart sentence). I'm fairly educated about security -- but this is somewhat new ground; do you have suggestions for other reading on how we vet applications?
Thanks for a thoughtful, helpful read.
Posted by: Merredith | May 1, 2008 1:47 PM
This is not really a hack, it has been a feature in the Facebook Platform since the beggining.
I've been developping a Facebook application a few months ago and I was fascinated by the amount of information you can grab from a user.
The silliest part is that this kind of information is in the "basic package" (if the user checks the first mandatory mark when adding a new application). Facebook is NOT telling users the application will be able to know your personal information and your friends' personal info.
You say that a malicious "COULD" store/use this information. I think some of them are actually storing/using this information. It is so valuable, why leave it behind.
Posted by: Vincent | May 1, 2008 1:56 PM
Calling this a "hack" is like saying someone "hacked" a Starbucks tip jar by reaching his hand in and taking the money.
I've been developing Facebook apps for clients since the platform launched. All that user data is, and always has been, there for the taking. As a matter of fact, Facebook's documentation tells you exactly what you can get and how to get it.
It requires no specialized knowledge or security exploits to request the information. You just ask for it, and Facebook returns it. It's that simple.
Facebook has a catch 22 with this situation. Providing all that data is what makes apps useful and interesting. Cutting it off would cripple the app ecosystem. However, it requires Facebook to completely rely on the developers' own honesty in following the Terms Of Service (which say you can't store that data).
Posted by: Warren Benedetto | May 1, 2008 2:30 PM
We can debate about whether or not it is a hack but debating terminology doesn't get us anywhere. In the end it is a breach of information that most people would be uncomfortable with.
It doesn't matter if the "feature" is intended or accidental, IMHO it's junk with no benefit to users that I can think of (unless they'd prefer advertisers know more info about them...)
Imagine the average IT decision maker reading about this and his perception of what this means for the platform. Facebook ready for compliance and security concious businesses?
Posted by: Travis Retzlaff | May 1, 2008 2:56 PM
This article is silly. Facebook wasn't hacked and they provide privacy controls for both scenarios: when I install and app and when a friend of mine installs an app.
For once Facebook anticipated privacy concerns and has it covered. Way to sensationalize a non-issue, though.
Posted by: Jesse Farmer | May 1, 2008 4:15 PM
This is being discussed on the Facebook Developer's forum:
http://forum.developers.facebook.com/viewtopic.php?id=14274
Posted by: David Palmer | May 1, 2008 4:37 PM
This article makes me feel nervous but i know that facebook is 100x better than myspace when it comes to privacy.I am pretty sure they will fix it up soon.
Posted by: Andrew | May 1, 2008 5:42 PM
This article makes me feel nervous but i know that facebook is 100x better than myspace when it comes to privacy.I am pretty sure they will fix it up soon.
Posted by: Andrew | May 1, 2008 5:47 PM
The amount of sheer misinformation you're spitting out at people in this article is beyond hilarious. You know nothing about the Facebook Platform or how it works. Neither does the BBC.
You write these articles to inspire fear in your clueless readers, because that's what gets you more clueless readers.
When you add an app, the FIRST thing it asks is if you want to allow it to access your personal information. Apps can also only see as much as any regular friend of yours could see on your profile.
If you act like a typical user and post nude photos and bank account numbers, don't go blaming Facebook or whatever else. You're the idiotic user. Why would place sensitive personal information on a website?
Think before you write crap like this.
Posted by: ducky | May 1, 2008 8:25 PM
ducky u r right.
these web application are very good.but people generally don't read what information is there, generally they look for photgraphs or the title of the applications.
Posted by: Ajay | May 2, 2008 2:12 AM
WOW you people are interesting:-)
Posted by: mac flash | May 2, 2008 6:14 AM
@7 "It doesn't matter if the "feature" is intended or accidental, IMHO it's junk with no benefit to users that I can think of (unless they'd prefer advertisers know more info about them...)"
On the contrary, allowing this data to be accessible is a huge benefit to app users. This is what allows a music app to suggest songs you may like based on the music interests you've expressed in your profile. This is what allows apps to recommend restaurants or events based your geographic location. This is what allows apps to offer interesting breakdowns of your friends' interests and activities. It's one of the BIGGEST benefits for users, when the developer acts responsibly.
@12 ducky is right. There's nothing that apps can find out that you or your friends couldn't find out by visiting each others' profiles (unless the user specifically allows apps to have more access, in which case they have no right to complain).
However, you have to admit that the apps make it easier to aggregate and parse that information in a single location. For a identity thief, that's certainly easier than visiting (or spidering and screenscraping) individual profiles.
Posted by: Warren Benedetto | May 2, 2008 7:19 AM
@Warren: Yes, there are benefits to having access to this information - but as Felt points out in her research, most apps do not need this information. Why not limit app access based on need?
And you're exactly right that this makes it tons easier for someone to aggregate and parse such information. Yes, one of my friends could access my data - but one app developer could access the data for thousands of people like me. And if I set my profile to private, the app developer already has more access than someone outside my friends circle.
The main point, though, is that I'd wager most users haven't thought through what they're giving applications access to when they tick that little checkmark so they can send a friend a bumper sticker. Articles like this raise user awareness, which is a good thing.
Posted by: theharmonyguy | May 2, 2008 8:42 AM
Though btw, I will agree that the headline is misleading - I wouldn't considering the BBC experiment hacking, per se. Though granted some of my "hacks" have hardly been more sophisticated. :)
Posted by: theharmonyguy | May 2, 2008 8:43 AM
This is a ploy by BBC to get more viewers/visitors to their site.
They didn't "hack" Facebook. They created a Facebook application that makes use of features that have been available since the beginning. BBC didn't do anything that isn't readily available to anyone wanting to create a web app with Facebook.
To Facebook users, if you want to keep information private, don't post it on an online social website.
Posted by: djacobs | May 5, 2008 8:08 AM