Slashdot Mirror

← Back to Stories (view on slashdot.org)

Facebook App Exposes Abject Insecurity

Posted by CmdrTaco on from the pay-no-attention-to-the-hole-in-my-pants dept.

ewhac writes "Back in June, the American Civil Liberties Union published an article describing Facebook's complete lack of meaningful security on your and your friends' information. The article went virtually unnoticed. Now, a developer has written a Facebook 'Quiz' based on the original article that graphically illustrates all the information a Facebook app can get its grubby little hands on by recursively sweeping through your friends list, pulling all their info and posts, and showing it to you. What's more, apps can get at your information even if you never run the app yourself. Facebook apps run with the access privileges of the user running it, so anything your friend can see, the app they're running can see, too. It is unclear whether the developer of the Facebook app did so 'officially' for the ACLU."

9 of 205 comments (clear)

  1. Re:Really? by automag · · Score: 5, Informative

    The problem isn't so much that public information is public, it's that Facebook represents itself as secure and private to its users and then leaves the barn door open for developers, betraying that trust. Should Facebook users be more cautious? Absolutely. But most Facebook users are sheep-le who won't give a second thought to this kind of thing. If someone wants to leave their own information open and public that's one thing, but when they leave their entire network of 'Facebook friends' information public by proxy (even if their friend has done everything 'right' in terms of securing their information) that's where the real problem lies.

    --
    ---As my daddy used to tell me: "You gotta be smart before you can be a smartass."
  2. Re:Really? by betterunixthanunix · · Score: 4, Informative

    "But, every time you install an FB app, it DOES ask you if you wish to allow the app to have full access to your information. So, if you don't feel comfortable, don't click that button!"

    As the app in question demonstrates, you do not personally have to install an app in order for the app to see your Facebook information; a friend who installed could give it the same level of access.

    --
    Palm trees and 8
  3. Re:There is no insecurity at all. Move along. by donatzsky · · Score: 2, Informative

    Actually you can:
    http://www.facebook.com/home.php#/privacy/?view=platform&tab=other

    Simply untick all the boxes there.

    --
    VPS-like shared hosting, on under-crowded servers.
  4. Re:Privacy is simple by pnattress · · Score: 3, Informative

    It's perfectly possible to set privacy settings on Facebook for applications as well as friends. You can control the information other friend's applications can see. (Settings -> Privacy -> Applications). It's not heavily advertised, because if everyone hid all their info it would devalue their API somewhat, but it's definitely there.

  5. Disabled by magloca · · Score: 2, Informative

    Seems the app has already been disabled. Apparently, there's something in the terms you have to agree to to write an app about not collecting more info than necessary. And presumably, Facebook felt that this one did. Or maybe they thought they could distance themselves from the embarrassment. Who knows.

  6. Facebook/Firefox fail by Animats · · Score: 3, Informative

    That Facebook quiz page puts Firefox 3.5 into a loop at:
    "Script: file:///D:/Program Files/Mozilla Firefox/modules/XPCOMUtils.jsm:260"

    FAIL.

  7. Re:Really? by bhartman34 · · Score: 2, Informative

    You have no reasonable expectation of privacy in your email communication.

    That's only true in a business setting, and only in relation to your employer, on your employer's mail server.

    Your employer has the right to read your email. You work for them, your email is basically your work product, and they can do whatever they want with it.

    Your personal email account is another matter entirely. Your email can be subpoenaed, but that requires a court's intervention. Your ISP can't just post your email on a public web page and expect to get away with it. They can access your email because it's on their servers, and they have to comply with law enforcement requests that have court orders behnid them, but if a private investigator working for your wife wants to get information from your email about your infidelity (assuming you were stupid enough to email your paramour), they wouldn't legally be able to hand over the information.

  8. Re:Really? by mabinogi · · Score: 3, Informative

    The ACLU's app lies.

    When a friend installs an app, it has full access to everything _your friend_ can see in your profile, not the same level of access as an app you install yourself would have.

    It doesn't magically grant the app more rights to see stuff than the user installing it already has.

    --
    Advanced users are users too!
  9. Re:Tracy sure didn't get it... by Anonymous Coward · · Score: 4, Informative

    Tracy's account was hacked by 4chan.

    4chan hacked a christian dating site, and got a list of details and passwords contained on it's servers in plaintext. Not sure of the details (whether the users of the site just had the same passwords for that and facebook or if some other step was involved), but they used this to gain access to hundreds of facebook accounts.

    They then proceeded to do their typical 4chan thing and post fake messages, porn, goatse, "coming out" messages etc. on all the compromised accounts. This was one of them.

    Don't blame Tracy. She didn't post that.

    Blame the Christian dating site for insecurity.

    Blame 4chan for being 4chan.