Facebook App Exposes Abject Insecurity

ewhac writes "Back in June, the American Civil Liberties Union published an article describing Facebook's complete lack of meaningful security on your and your friends' information. The article went virtually unnoticed. Now, a developer has written a Facebook 'Quiz' based on the original article that graphically illustrates all the information a Facebook app can get its grubby little hands on by recursively sweeping through your friends list, pulling all their info and posts, and showing it to you. What's more, apps can get at your information even if you never run the app yourself. Facebook apps run with the access privileges of the user running it, so anything your friend can see, the app they're running can see, too. It is unclear whether the developer of the Facebook app did so 'officially' for the ACLU."

Facebook:

[gurps_npc]

Step 1. Invade everyone's privacy completely.

Step 2. ?????

Step 3. Profit!!!!

========

Wait, let me clarify

Step 2 = Blackmail

There is no insecurity at all. Move along.

[SecurityGuy]

Facebook and its apps work exactly as advertised. It is a site that's ALL ABOUT SHARING INFORMATION, and guess what, that's what it does. When you take a quiz or use an app, it tells you you're granting it access to lots of stuff. I forget the exact wording, but none of this is a surprise. It takes all of a few minutes looking through the developer docs to see that if you write an app, you get access to, well, yeah, everything.

The problem here is that some people sign up on a site that exists to share personal information, run apps that give away personal information and tell you they're doing it, and are then surprised.

Re:Really?

[Runaway1956]

Point taken. I could look at the code for any given program, and fail to see the most glaringly obvious security flaws. What sets me (and, presumably, most slashdotters) apart from the herd is, we are willing to read, willing to investigate, willing to make decisions, and we decide who to trust, and who not to trust. I don't need to understand the flaws in Java or IRC to understand articles published all over the web stating something to the effect, "ApplicationX versions prior to 1.6 have been found to be insecure due to a buffer overrun, please update to version 1.7"

The average windows home user implicity trusts everything he sees on the net. "Your computer could be infected with viruses, please run our free scanner". He never even looks to see who is offering the scanner, he doesn't search for that company, he just clicks it, runs it, then downloads the trojan offered when viruses are found.

I've clicked a couple of those things to see what they might find on my Linux boxes. Amazingly, they found all sorts of stuff on my C: Imagine that.....