Facebook App Exposes Abject Insecurity

ewhac writes "Back in June, the American Civil Liberties Union published an article describing Facebook's complete lack of meaningful security on your and your friends' information. The article went virtually unnoticed. Now, a developer has written a Facebook 'Quiz' based on the original article that graphically illustrates all the information a Facebook app can get its grubby little hands on by recursively sweeping through your friends list, pulling all their info and posts, and showing it to you. What's more, apps can get at your information even if you never run the app yourself. Facebook apps run with the access privileges of the user running it, so anything your friend can see, the app they're running can see, too. It is unclear whether the developer of the Facebook app did so 'officially' for the ACLU."

Re:Really?

[automag]

The problem isn't so much that public information is public, it's that Facebook represents itself as secure and private to its users and then leaves the barn door open for developers, betraying that trust. Should Facebook users be more cautious? Absolutely. But most Facebook users are sheep-le who won't give a second thought to this kind of thing. If someone wants to leave their own information open and public that's one thing, but when they leave their entire network of 'Facebook friends' information public by proxy (even if their friend has done everything 'right' in terms of securing their information) that's where the real problem lies.

Re:Really?

[betterunixthanunix]

"But, every time you install an FB app, it DOES ask you if you wish to allow the app to have full access to your information. So, if you don't feel comfortable, don't click that button!"

As the app in question demonstrates, you do not personally have to install an app in order for the app to see your Facebook information; a friend who installed could give it the same level of access.

Re:Privacy is simple

[pnattress]

It's perfectly possible to set privacy settings on Facebook for applications as well as friends. You can control the information other friend's applications can see. (Settings -> Privacy -> Applications). It's not heavily advertised, because if everyone hid all their info it would devalue their API somewhat, but it's definitely there.

Facebook/Firefox fail

[Animats]

That Facebook quiz page puts Firefox 3.5 into a loop at:
"Script: file:///D:/Program Files/Mozilla Firefox/modules/XPCOMUtils.jsm:260"

FAIL.

Re:Really?

[mabinogi]

The ACLU's app lies.

When a friend installs an app, it has full access to everything _your friend_ can see in your profile, not the same level of access as an app you install yourself would have.

It doesn't magically grant the app more rights to see stuff than the user installing it already has.

Re:Tracy sure didn't get it...

Tracy's account was hacked by 4chan.

4chan hacked a christian dating site, and got a list of details and passwords contained on it's servers in plaintext. Not sure of the details (whether the users of the site just had the same passwords for that and facebook or if some other step was involved), but they used this to gain access to hundreds of facebook accounts.

They then proceeded to do their typical 4chan thing and post fake messages, porn, goatse, "coming out" messages etc. on all the compromised accounts. This was one of them.

Don't blame Tracy. She didn't post that.

Blame the Christian dating site for insecurity.

Blame 4chan for being 4chan.