Facebook App Exposes Abject Insecurity

ewhac writes "Back in June, the American Civil Liberties Union published an article describing Facebook's complete lack of meaningful security on your and your friends' information. The article went virtually unnoticed. Now, a developer has written a Facebook 'Quiz' based on the original article that graphically illustrates all the information a Facebook app can get its grubby little hands on by recursively sweeping through your friends list, pulling all their info and posts, and showing it to you. What's more, apps can get at your information even if you never run the app yourself. Facebook apps run with the access privileges of the user running it, so anything your friend can see, the app they're running can see, too. It is unclear whether the developer of the Facebook app did so 'officially' for the ACLU."

Really?

[Jurily]

Public information is public. News at 11.

Re:Really?

[automag]

The problem isn't so much that public information is public, it's that Facebook represents itself as secure and private to its users and then leaves the barn door open for developers, betraying that trust. Should Facebook users be more cautious? Absolutely. But most Facebook users are sheep-le who won't give a second thought to this kind of thing. If someone wants to leave their own information open and public that's one thing, but when they leave their entire network of 'Facebook friends' information public by proxy (even if their friend has done everything 'right' in terms of securing their information) that's where the real problem lies.

Re:Really?

[Jurily]

but when they leave their entire network of 'Facebook friends' information public by proxy (even if their friend has done everything 'right' in terms of securing their information) that's where the real problem lies.

You're assuming that all these people only have 'friends' they actually know and trust.

If you put it up for others to see it, others will see it. It's that simple.

Re:Really?

[automag]

You're assuming that all these people only have 'friends' they actually know and trust.

If you put it up for others to see it, others will see it. It's that simple.

No, actually whether a user has friends they 'know and trust' is completely moot. On Facebook someone can have their information handed over to a 3rd party developer by anyone in their network, whether they're someone trusted or not. "A strange game. The only winning move is not to play."

Re:Really?

[flajann]

As a Facebook Developer myself, I have something to say on this.

It would be really tough to have the type of security everyone wants, AND have these FB apps to be useful. Tradeoffs, guys. The whole idea in most of these FB apps is the sharing of data between friends, which means the Application will have access to much.

You could have fine-grained security controls exposed to the user, but this would make FB security confusing to most of its users, and it also would hamper the applications and what they can do.

And if you were to implement such stringent security procedures now, it would break many of the apps in use.

I think it's safe to say that never put anything on Facebook that you wouldn't feel comfortable with the whole world seeing. And that goes for the Internet in general.

But, every time you install an FB app, it DOES ask you if you wish to allow the app to have full access to your information. So, if you don't feel comfortable, don't click that button!

Having said that, there should also be some ethical guidelines for FB developers.

Re:Really?

[Jurily]

I merely assumed that people putting up information specifically for the purpose of others reading it, will consider the fact that other people will read it.

You announce your birthday or put up an invitation to a party, but you don't put the steamy details of last night up there.

Re:Really?

[betterunixthanunix]

"But, every time you install an FB app, it DOES ask you if you wish to allow the app to have full access to your information. So, if you don't feel comfortable, don't click that button!"

As the app in question demonstrates, you do not personally have to install an app in order for the app to see your Facebook information; a friend who installed could give it the same level of access.

Re:Really?

[RalphSleigh]

The problem is that even without you authorising any applications, as soon as any of your friends take a quiz, that application can see anything about you your friend can. The what length of wood is your dog like quiz has no need of this info, but its not simple to disable its access.

You can turn off this behavior, but only if you don't have any applications authorised yourself (I have an application I have written to fill a box with content from an external site on one of my pages, I can't have this on my profile or access the developers network app AND block quizzes from reading my info at the same time).

Trusting all your friends/networks not to do things that will compromise your privacy is also a non-stater.

Re:Really?

[automag]

It's a fair point... People join Social Networking sites because they want to be social. I think you're probably right that the 'solution' has more to do with the developers than the users.

Re:Really?

[maharb]

What about providing a checkbox for users that says "don't give out my information to anyone but friends". I am a facebook user because of what I can only call peer pressure. I would like it if no one had access to my info except friends but facebook lacks that option. I don't care about apps so why can't I remove myself from this pool of data.

"But, every time you install an FB app, it DOES ask you if you wish to allow the app to have full access to your information. So, if you don't feel comfortable, don't click that button! "

The issue here is that if one of my friends trusts an app then they have access to MY data. Why should this be allowed with no way to turn it off. Like I said before, I don't want to participate in the app frenzy of facebook at all. I would be perfectly happy to lose the functionality of the apps for privacy.

"I think it's safe to say that never put anything on Facebook that you wouldn't feel comfortable with the whole world seeing. And that goes for the Internet in general."

If that is what facebook and developers think about millions of people's private messages, photos etc they are going to be in for a huge struggle later. People don't realize their facebook info is up for grabs so easy. Once someone publicly demonstrates how much developers(anyone) have access to and the response from facebook is "you should have known" there is going to be a mass exodus from the service or demand for what I am advocating. The idea that information on the internet should be treated as public information is a flaw in logic and a step back for using the internet for more things(like healthcare). This is about security, permissions etc. You can keep information 'safe' on the net. I know hackers can get the info, but I am talking about not giving it out freely.

As a developer I get what you are saying. You can't provide functional apps without the data. You have to realize though that there are other perspectives, ones that may be more important than what a developer wants. As a customer of facebook, and possibly you and your apps I say I don't like what you want from me. That should be a red flag.

Re:Really?

[WCguru42]

But most Facebook users are sheep-le who won't give a second thought to this kind of thing.

It's less so that they're "sheep-le" and more so that they are not aware of technology. It's kinda like sending your car to the repair shop when you don't know shit about cars. My friend recently got bilked out of $500 because he was told he had to replace his part with a "certified" component. My friend didn't know any better so he went with what sounded reasonable but in reality it was a rip off. The same goes for most users of facebook, they don't know jack shit about computers, the internet, etc. and they don't know that when facebook updates their security measures that it's really just lip service.

Re:Really?

[Seumas]

But you might discuss them with your friends. Until you discover that your friend lets everyone on earth into their house any time they want (ie, run Facebook Applications) and one of those people (applications) has installed a listening device in the lamp and everything you thought you were discussing with your private group of friends is actually being directly pumped to some third party who is not your friend.

People throwing the "imagine that, information on the intarwebs is public!" line are being disingenuous. It's like saying you have no reasonable expectation of privacy in your email communication, just because it technically *could* be intercepted. Or that using online banking proves you're an idiot, because your login information *could* be compromised if someone got physical or root access to the bank's database server.

The nature of facebook, like many other things people use, implies a certain degree of privacy and control over your exposure. It's not at all the same as just blathering all your crap on a public forum for all of google to index and serve up somewhere.

Re:Really?

[Seumas]

Actually, facebook is very misleading in this way. There ARE options to make each element of your information *ONLY* available to friends. Or even to nobody.

Unfortunately, their Facebook Application API directly violates the spirit of that by making it available to people other than your friends.

The single most awful thing about facebook is the wealth of Applications. They're all crap and at best they're annoying. Every time I see some jack ass wasting my time (because it posts that they are using an app to my information stream) doing another "what kind of dog turd are you?" quiz, it makes me hate humanity just a little bit more.

Re:Really?

[Jeremi]

You have no reasonable expectation of privacy in your email communication.

I think you don't understand the concept of "reasonable expectation of privacy". It's not a technical idea meaning "this data is secure". It's a social/legal idea, meaning "third parties are supposed to know that this data is private, and so they should keep out of it even if they are technically able to look".

By that measure, you certainly do have a "reasonable expectation of privacy" for your email. For example, if your ISP started posting your emails to a public web page, you would have grounds for a lawsuit. Therefore, you can "reasonably expect" that your ISP won't do that.

Re:Really?

[bhartman34]

You have no reasonable expectation of privacy in your email communication.

That's only true in a business setting, and only in relation to your employer, on your employer's mail server.

Your employer has the right to read your email. You work for them, your email is basically your work product, and they can do whatever they want with it.

Your personal email account is another matter entirely. Your email can be subpoenaed, but that requires a court's intervention. Your ISP can't just post your email on a public web page and expect to get away with it. They can access your email because it's on their servers, and they have to comply with law enforcement requests that have court orders behnid them, but if a private investigator working for your wife wants to get information from your email about your infidelity (assuming you were stupid enough to email your paramour), they wouldn't legally be able to hand over the information.

Re:Really?

[gilgongo]

You have no reasonable expectation of privacy in your email communication.

I think you don't understand the concept of "reasonable expectation of privacy". It's not a technical idea meaning "this data is secure". It's a social/legal idea, meaning "third parties are supposed to know that this data is private, and so they should keep out of it even if they are technically able to look".

The trouble is that this is the first time in history when the three broad realms of "private", "semi-private" and "public" have been mixed together - and it baffles a lot of people.

In the past, if I sat on my toilet with the door locked, that was private. If I went out and spoke to some friends in a bar, that was semi-private (what I said might get around the village, but not much more), and public was pretty much impossible unless I became a politician or a journalist.

Now, however, it's very difficult to work out which state you are in at any one time, and what's worse, you often don't know what's public, which is a state that for the vast majority of humans, is totally new.

Re:Really?

[mabinogi]

The ACLU's app lies.

When a friend installs an app, it has full access to everything _your friend_ can see in your profile, not the same level of access as an app you install yourself would have.

It doesn't magically grant the app more rights to see stuff than the user installing it already has.

This is the worst part, in general

Not that your information is in the hands of the facebook staff. That can be scary, but the facebook people, like google, have demonstrated a fairly reasonable approach to exploitation of personal information.

The problem is that it's in the hands of all of your friends and family. If there's any aspect of your life that should remain off the internet, never share it with a facebooker.

Re:This is the worst part, in general

[dkleinsc]

have demonstrated a fairly reasonable approach to exploitation of personal information.

So as long as our personal information is only reasonably exploited, it's a-ok?

some advice

[FudRucker]

if anyone wants to keep their personal information private then keep it off the internet, if you put your photo or real name & location on any part of internet (especially social networking websites) you can bet your life that somebody else is going to exploit that information in any way possible and for $profit$ if that is possible too.

Re:some advice

[Panzor]

The thing that annoys me is when someone ELSE posts my picture on the internet. It takes a community to keep an individual safe, and the facebook community is quite security inept.

Re:some advice

[Kral_Blbec]

What surprised me about the article is an extension of this. Not just pictures, but the entire profile is availible. I avoid all the Facebook quizes and crap because I already know it is a huge security hole that allows them to access your profile, but I never expected that it would also open up your friend's profile when you allow an app. That kind of pisses me off.

Re:some advice

[ParanoiaBOTS]

The thing that annoys me is when someone ELSE posts my picture on the internet. It takes a community to keep an individual safe, and the facebook community is quite security inept.

The thing that annoys me is people who seem to think that they have a right to keep a photo from appearing online just because they appear in it. It's not like the person went into your house, pulled out your photo album and uploaded those photos. If you don't want to appear in a photo a person may or may not put online, don't go out in public. It's as simple as that

Re:some advice

[silanea]

The thing that annoys me is people who seem to think that they have a right to keep a photo from appearing online just because they appear in it. [...]

At least in Germany people actually do have such a right (no english article linked, so I assume such a right does not exist in anglo-american law). Besides, for me courtesy demands that I ask people for permission before I put pictures of them online. What seems harmless to you may get another person fired, disgraced or harrassed.

Facebook App Exposes Abject Insecurity

[Dogtanian]

Yeah, I've noticed that this "Facebook" app exposes an abject insecurity.

Namely that of the users who seem to be obsessed with their not appearing popular enough, and adding as many "friends" as they can.

Privacy is simple

[verbatim]

Don't publish/post anything that you wouldn't want made public.

Simple enough, people? Seriously.

Grow. The. Fuck. Up. Stop being retarded, paranoid jackasses. Facebook, et.al., are out to make MONEY. That means collecting information, data, digesting it in some way, and then selling that information to advertisers/perverts/your mom/etc.

I just don't get why people are up in arms about "privacy" on a public website, even one with "private" areas. I mean, it's kind of interesting how people will put personal information on a public website and then build virtual walls around it to keep other people out.

Are you so embarrassed by your circle of friends/family that you really don't want other people to know?

Do you really think that you are such an interesting fucking nobody that everyone in the whole goddamn universe wants to know everything about you?

You are one nobody among a collective of nobodies. Deal. :)

Re:Privacy is simple

[gbjbaanb]

I suppose the problem is one of trust - Facebook says "set your privacy controls and you'll be safe", and some people believe this! Not everyone is educated about the internet, they treat it as they would other people, not realising its totally different. These people use Facebook.

Re:Privacy is simple

[Kral_Blbec]

It's not about posting anything you dont want public. Its about OTHER PEOPLE posting it about you.

Re:Privacy is simple

[notamedic]

Facebook is incredibly popular and the start of your third paragraph shows that (aside from an inability to stop swearing) you can't comprehend what the general non-geeky public want from the internet. Social relationships are complicated - how you interact with your friends and what they know about you may not be the same for your family and for your work colleagues.

I'm not a big fan of facebook, but the people who use pejorative terms to dismiss it obviously don't understand it.

Re:Privacy is simple

[pnattress]

It's perfectly possible to set privacy settings on Facebook for applications as well as friends. You can control the information other friend's applications can see. (Settings -> Privacy -> Applications). It's not heavily advertised, because if everyone hid all their info it would devalue their API somewhat, but it's definitely there.

Re:Privacy is simple

[Seumas]

I think you have missed the entire fucking point of Facebook. Facebook is not about blathering your shit to every fucking moron on earth and acquiring as many "friends" as possible, but about communicating and keeping up with a select group of people that you have chosen to communicate with. For example, colleagues, family, and close friends.

I don't give a fuck about you or what you have to say day in an day out, but your mom might. Or your school chums. Or your best friend at the office. And since Facebook allows you to restrict your interactions to just these chosen people, you have a right to expect your communication to remain between those designated individuals.

You know, sort of the same way the telephone company is a commercial enterprise, but you have a reasonable expectation for your conversations to remain private. Or do you consider talking on the telephone to be blathering to the "whole goddamn universe", too?

Unfortunately, just like your mom probably is more prone to getting a virus on her Windows machine than you are, she's probably more likely to use a "what color are you?" facebook application and thereby put you at risk of exposure.

Again, it is simply disingenuous to trash people as being idiots for using services where security is inherently implied (and options to protect it are right there in the user preferences -- even though they appear not to be adhered to in this demonstration).

That doesn't mean you should share your most private secrets on earth anywhere online that is connected with your real identity. It just means that you shouldn't have to worry that your every piece of information is being sold out from under you when you thought it was just between yourself and the people in your circle. And if you have this attitude that you should *EXPECT* that from Facebook, then you should have that same attitude toward every institution you deal with from the place you bought your car, to your electric, phone, cable companies and medical providers. After all, if your bank's databases are cracked and the data stolen and sold out from under you, it's YOUR fault for being stupid enough to give your financial information to your financial institution, right?

Also, as much as I hate Twitter and Facebook and all these things (though I like LinkedIN), you at the very least are often obligated to sign up so that you can protect your identity from being used by someone *else*. And as much as I hate attention-whores, even they deserve an expectation of a certain degree of privacy in situations where that privacy is implied.

How convincing is the quiz?

[Jah-Wren+Ryel]

Could someone with a facebook account "review" this quiz?

I don't have a facebook account so I can't do much with it. But I would like to send it to friends and family that do have accounts. These people aren't the type to comprehend the ACLU blog, so I'd like to know just how well the quiz makes its point. Is my 20 year-old niece who 'friends' anyone who sends a friend request going to achieve cluevana by doing the quiz, or is the quiz no more meaningful to the unenlightened than the blog post that inspired it?

Re:How convincing is the quiz?

[xiox]

Pretty convincing. It appears to show any of the information or photos I can see about myself or my friends.Presumably a very popular facebook app could harvest data on pretty well everyone in facebook, no matter their privacy settings.

Re:How convincing is the quiz?

[tolan-b]

Because Facebook is supposed to limit your data to your friends and applications *you* choose to trust. But it doesn't give you any control over which data of yours is visible to an application installed by someone else in your network.

Therefore if your mum installs a rogue app then she gives away every piece of data she can view about all her friends and family (who happen to be on Facebook), including you. That's going to include most of your data on Facebook.

Therefore what the hell is the point of having any privacy controls at all? They're simply misleading, all your data has already been made available to multiple third parties without consulting you.

Yes, ordinary people are stupid regarding privacy

[RIpRapRob]

But here is what Facebook tells their users:

Facebook Principles

...

We understand you may not want everyone in the world to have the information you share on Facebook; that is why we give you control of your information.

...

Facebook follows two core principles:

1. You should have control over your personal information.

Yeah, there is a lot of 'small print' too, but why wouldn't the average user expect the information they put on Facebook to be private, unless they change some (default) setting?

TFA

[Magic5Ball]

QUESTION 1: When you take a quiz on Facebook, what can the quiz see about you?
Only your answers to its questions.
Only information that is set as "public" on your profile.
Almost everything on your profile, even if you use privacy settings to limit access.

Correct!

Even if you have your profile information and content set to "private," quizzes can see almost everything that you share with your friends on Facebook: your politics and religion, embarassing photos, comments you leave on your friends' Wall. It doesn't seem like a quiz developer has any reason to poke around in your profile, but it's temptingly easy to do so.

For example, here are just a few things this quiz can see in your profile:

[Random stuff from your own profile. *Some data/counts in aggregate*]

QUESTION 2: What info about you can a quiz see when your friends take a quiz?
Nothing at all, unless they use your name in an answer somehow.
Only information from your profile that is visible to everyone on Facebook.
Almost everything on your profile, even if you use privacy settings to limit who can see that information.

Correct!

Yes, that's right: when your friend takes a quiz, the quiz maker gets access to your information! So even if you're being careful, if you haven't changed the right privacy settings, your information could be collected by anyone who writes a quiz that your friends take!

Check out what this quiz can see about some of your friends (loads slowly - give it a sec!):

[Random stuff from your friends' profiles. *Some data/counts in aggregate*]

QUESTION 3: There must be safeguards somewhere, right? My information is safe because:
Facebook's default privacy settings prevent application developers from scouring my information.
Facebook carefully screens developers to ensure that they are trustworthy and requires that they post and comply with a privacy policy.
Facebook uses technical measures to limit how developers collect and use personal information.
None of the above - and that's a real problem.

Correct!

The only protection Facebook offers by default is its Terms of Service, which state that developers must collect only the information that they need and use it only in connection with Facebook.

But all it takes to be a developer is an email address, and so few of even the top developers have a privacy policy at all, it's hard to believe that Terms of Service will hold them back if they want to collect information, and (as this quiz has shown) they can access a lot of it.

And once details about your personal life are collected by a quiz developer, who knows where they could end up or how they could be used. Shared? Sold? Turned over to the government?

QUESTION 4: OK, that sounds like a real problem. So what should I do?
Give up and quit Facebook forever.
Resign myself to losing control over my personal information.
Demand the right to control my information without sacrificing the right to use new technology.

Of course you know the answer: take a stand and demand control!

What's going on with these quizzes just isn't right. It's time for Facebook to upgrade its privacy controls so that you decide who gets to see your personal information.

That's where you come in. As we've seen before, Facebook does respond when users protest. So we need to make some noise!

*
Update your own privacy settings.

*
Share this quiz on Facebook and encourage your friends to take it!

*
Sign our online petition and tell Facebook that you want more control of your own information.

*
And, finally, help the movement grow by becoming a fan of the dotRights campaign and voting for our "The Secret Lives of On

Re:Facebook:

[TheVelvetFlamebait]

Don't look now, but I think they achieved Step 3 without Step 2.

TFTFY

[denzacar]

Not that your information is in the hands of the facebook staff. That can be scary, but the facebook people, like google, have demonstrated a fairly reasonable approach to exploitation of personal information.

The problem is that it's in the hands of all of your "friends" and family. If there's any aspect of your life that should remain off the internet, never share it with a facebooker.

Facebook friends are often not even acquaintances. They are not your friends, no matter how Facebook refers to them.

Re:There is no insecurity at all. Move along.

[donatzsky]

Actually you can:
http://www.facebook.com/home.php#/privacy/?view=platform&tab=other

Simply untick all the boxes there.

Tracy sure didn't get it...

[speedtux]

Tracy apparently had some trouble with the concept of "privacy" (or lack thereof) on Facebook...

Re:Tracy sure didn't get it...

Tracy's account was hacked by 4chan.

4chan hacked a christian dating site, and got a list of details and passwords contained on it's servers in plaintext. Not sure of the details (whether the users of the site just had the same passwords for that and facebook or if some other step was involved), but they used this to gain access to hundreds of facebook accounts.

They then proceeded to do their typical 4chan thing and post fake messages, porn, goatse, "coming out" messages etc. on all the compromised accounts. This was one of them.

Don't blame Tracy. She didn't post that.

Blame the Christian dating site for insecurity.

Blame 4chan for being 4chan.

Disabled

[magloca]

Seems the app has already been disabled. Apparently, there's something in the terms you have to agree to to write an app about not collecting more info than necessary. And presumably, Facebook felt that this one did. Or maybe they thought they could distance themselves from the embarrassment. Who knows.

Facebook/Firefox fail

[Animats]

That Facebook quiz page puts Firefox 3.5 into a loop at:
"Script: file:///D:/Program Files/Mozilla Firefox/modules/XPCOMUtils.jsm:260"

FAIL.

Re:Facebook/Firefox fail

[commodoresloat]

So it's impossible to take a Facebook quiz using Firefox 3.5?

That's a feature, not a bug.

Re:There is no insecurity at all. Move along.

[Seumas]

You miss the point of Facebook, entirely. It's about sharing information with a controlled group of people you have chosen; not every person on the planet who wants it. The problem here is that a site promotes itself as a place you can associate and communicate with a selected community of people that you have individually selected and granted access to and all of its literature promotes the ability for YOU to have CONTROL over your information and interactions (otherwise, they'd just keep using Myspace or something else) while actually violating the implied spirit of everything users sign up for.

Also, I'm glad you feel that violating the entire premise of your service is okay as long as you post it in your Developer API documents that I'm sure everyone's mom and grandparents read before signing up to the service.

Re:There is no insecurity at all. Move along.

[bhartman34]

Facebook and its apps work exactly as advertised. It is a site that's ALL ABOUT SHARING INFORMATION, and guess what, that's what it does. When you take a quiz or use an app, it tells you you're granting it access to lots of stuff. I forget the exact wording, but none of this is a surprise. It takes all of a few minutes looking through the developer docs to see that if you write an app, you get access to, well, yeah, everything.

The problem here is that some people sign up on a site that exists to share personal information, run apps that give away personal information and tell you they're doing it, and are then surprised.

No, that's not the problem. The problem is that when Facebook creates a privacy setting that says "Only Friends" can view the information, that's exactly what should happen: Only friends should be able to see it. It's true that the applications all have a disclaimer saying that they can see and use friends' information, but one can easily understand the cognitive dissonance created when Facebook, on the one hand, tells you that you can designate information as private, and on the other, allows applications to violate that privacy without your giving it that permission. It's one thing if an app can access the "private" information of the person taking the quiz. It's quite another when it gets access to the personal information of people who didn't take the quiz, didn't give the app in question the rights to the "private" information, and thought they were dong "all the right things" by restricting their private information to only their friends.

The cornerstone of privacy is informed consent.

Re:Yes, ordinary people are stupid regarding priva

[RIpRapRob]

No, "Private" as in "only friends I have chosen to share information with", not as in "and every application that they are stupid enough to install".

And you are missing the point

No one is "feeding the information" to an application. The application is sucking the information without anyone being aware of it.

The solution it simple:

Whenever one of my friends grants an application access to my data, Facebook should ask me:

"You have chosen NOT to share information with applications on Facebook. Your friend XYZ has now granted Application APP1 access to your profile. What would you like to do now?

[ALLOW]---[BLOCK APP1 ACCESS TO YOUR PROFILE]---[REMOVE XYZ FROM FRIEND LIST]"

Re:Yes, ordinary people are stupid regarding priva

[m50d]

No, "Private" as in "only friends I have chosen to share information with", not as in "and every application that they are stupid enough to install".

That's drawing a distinction that doesn't exist. If you give a friend access to your profile they can do anything with that data; this just makes it more immediately clear.

The application is sucking the information without anyone being aware of it.

No; the friend will get asked when they run the application, effectively "do you want to give this access to anything you can see".