Facebook App Exposes Abject Insecurity

ewhac writes "Back in June, the American Civil Liberties Union published an article describing Facebook's complete lack of meaningful security on your and your friends' information. The article went virtually unnoticed. Now, a developer has written a Facebook 'Quiz' based on the original article that graphically illustrates all the information a Facebook app can get its grubby little hands on by recursively sweeping through your friends list, pulling all their info and posts, and showing it to you. What's more, apps can get at your information even if you never run the app yourself. Facebook apps run with the access privileges of the user running it, so anything your friend can see, the app they're running can see, too. It is unclear whether the developer of the Facebook app did so 'officially' for the ACLU."

Really?

[Jurily]

Public information is public. News at 11.

Re:Really?

[automag]

The problem isn't so much that public information is public, it's that Facebook represents itself as secure and private to its users and then leaves the barn door open for developers, betraying that trust. Should Facebook users be more cautious? Absolutely. But most Facebook users are sheep-le who won't give a second thought to this kind of thing. If someone wants to leave their own information open and public that's one thing, but when they leave their entire network of 'Facebook friends' information public by proxy (even if their friend has done everything 'right' in terms of securing their information) that's where the real problem lies.

Re:Really?

[Jurily]

but when they leave their entire network of 'Facebook friends' information public by proxy (even if their friend has done everything 'right' in terms of securing their information) that's where the real problem lies.

You're assuming that all these people only have 'friends' they actually know and trust.

If you put it up for others to see it, others will see it. It's that simple.

Re:Really?

[automag]

You're assuming that all these people only have 'friends' they actually know and trust.

If you put it up for others to see it, others will see it. It's that simple.

No, actually whether a user has friends they 'know and trust' is completely moot. On Facebook someone can have their information handed over to a 3rd party developer by anyone in their network, whether they're someone trusted or not. "A strange game. The only winning move is not to play."

Re:Really?

[Jurily]

I merely assumed that people putting up information specifically for the purpose of others reading it, will consider the fact that other people will read it.

You announce your birthday or put up an invitation to a party, but you don't put the steamy details of last night up there.

Re:Really?

[betterunixthanunix]

"But, every time you install an FB app, it DOES ask you if you wish to allow the app to have full access to your information. So, if you don't feel comfortable, don't click that button!"

As the app in question demonstrates, you do not personally have to install an app in order for the app to see your Facebook information; a friend who installed could give it the same level of access.

Re:Really?

[RalphSleigh]

The problem is that even without you authorising any applications, as soon as any of your friends take a quiz, that application can see anything about you your friend can. The what length of wood is your dog like quiz has no need of this info, but its not simple to disable its access.

You can turn off this behavior, but only if you don't have any applications authorised yourself (I have an application I have written to fill a box with content from an external site on one of my pages, I can't have this on my profile or access the developers network app AND block quizzes from reading my info at the same time).

Trusting all your friends/networks not to do things that will compromise your privacy is also a non-stater.

Re:Really?

[maharb]

What about providing a checkbox for users that says "don't give out my information to anyone but friends". I am a facebook user because of what I can only call peer pressure. I would like it if no one had access to my info except friends but facebook lacks that option. I don't care about apps so why can't I remove myself from this pool of data.

"But, every time you install an FB app, it DOES ask you if you wish to allow the app to have full access to your information. So, if you don't feel comfortable, don't click that button! "

The issue here is that if one of my friends trusts an app then they have access to MY data. Why should this be allowed with no way to turn it off. Like I said before, I don't want to participate in the app frenzy of facebook at all. I would be perfectly happy to lose the functionality of the apps for privacy.

"I think it's safe to say that never put anything on Facebook that you wouldn't feel comfortable with the whole world seeing. And that goes for the Internet in general."

If that is what facebook and developers think about millions of people's private messages, photos etc they are going to be in for a huge struggle later. People don't realize their facebook info is up for grabs so easy. Once someone publicly demonstrates how much developers(anyone) have access to and the response from facebook is "you should have known" there is going to be a mass exodus from the service or demand for what I am advocating. The idea that information on the internet should be treated as public information is a flaw in logic and a step back for using the internet for more things(like healthcare). This is about security, permissions etc. You can keep information 'safe' on the net. I know hackers can get the info, but I am talking about not giving it out freely.

As a developer I get what you are saying. You can't provide functional apps without the data. You have to realize though that there are other perspectives, ones that may be more important than what a developer wants. As a customer of facebook, and possibly you and your apps I say I don't like what you want from me. That should be a red flag.

Re:Really?

[Seumas]

But you might discuss them with your friends. Until you discover that your friend lets everyone on earth into their house any time they want (ie, run Facebook Applications) and one of those people (applications) has installed a listening device in the lamp and everything you thought you were discussing with your private group of friends is actually being directly pumped to some third party who is not your friend.

People throwing the "imagine that, information on the intarwebs is public!" line are being disingenuous. It's like saying you have no reasonable expectation of privacy in your email communication, just because it technically *could* be intercepted. Or that using online banking proves you're an idiot, because your login information *could* be compromised if someone got physical or root access to the bank's database server.

The nature of facebook, like many other things people use, implies a certain degree of privacy and control over your exposure. It's not at all the same as just blathering all your crap on a public forum for all of google to index and serve up somewhere.

Re:Really?

[Seumas]

Actually, facebook is very misleading in this way. There ARE options to make each element of your information *ONLY* available to friends. Or even to nobody.

Unfortunately, their Facebook Application API directly violates the spirit of that by making it available to people other than your friends.

The single most awful thing about facebook is the wealth of Applications. They're all crap and at best they're annoying. Every time I see some jack ass wasting my time (because it posts that they are using an app to my information stream) doing another "what kind of dog turd are you?" quiz, it makes me hate humanity just a little bit more.

Re:Really?

[Jeremi]

You have no reasonable expectation of privacy in your email communication.

I think you don't understand the concept of "reasonable expectation of privacy". It's not a technical idea meaning "this data is secure". It's a social/legal idea, meaning "third parties are supposed to know that this data is private, and so they should keep out of it even if they are technically able to look".

By that measure, you certainly do have a "reasonable expectation of privacy" for your email. For example, if your ISP started posting your emails to a public web page, you would have grounds for a lawsuit. Therefore, you can "reasonably expect" that your ISP won't do that.

Re:Really?

[gilgongo]

You have no reasonable expectation of privacy in your email communication.

I think you don't understand the concept of "reasonable expectation of privacy". It's not a technical idea meaning "this data is secure". It's a social/legal idea, meaning "third parties are supposed to know that this data is private, and so they should keep out of it even if they are technically able to look".

The trouble is that this is the first time in history when the three broad realms of "private", "semi-private" and "public" have been mixed together - and it baffles a lot of people.

In the past, if I sat on my toilet with the door locked, that was private. If I went out and spoke to some friends in a bar, that was semi-private (what I said might get around the village, but not much more), and public was pretty much impossible unless I became a politician or a journalist.

Now, however, it's very difficult to work out which state you are in at any one time, and what's worse, you often don't know what's public, which is a state that for the vast majority of humans, is totally new.

Re:Really?

[mabinogi]

The ACLU's app lies.

When a friend installs an app, it has full access to everything _your friend_ can see in your profile, not the same level of access as an app you install yourself would have.

It doesn't magically grant the app more rights to see stuff than the user installing it already has.

This is the worst part, in general

Not that your information is in the hands of the facebook staff. That can be scary, but the facebook people, like google, have demonstrated a fairly reasonable approach to exploitation of personal information.

The problem is that it's in the hands of all of your friends and family. If there's any aspect of your life that should remain off the internet, never share it with a facebooker.

some advice

[FudRucker]

if anyone wants to keep their personal information private then keep it off the internet, if you put your photo or real name & location on any part of internet (especially social networking websites) you can bet your life that somebody else is going to exploit that information in any way possible and for $profit$ if that is possible too.

Re:some advice

[Panzor]

The thing that annoys me is when someone ELSE posts my picture on the internet. It takes a community to keep an individual safe, and the facebook community is quite security inept.

Re:some advice

[ParanoiaBOTS]

The thing that annoys me is when someone ELSE posts my picture on the internet. It takes a community to keep an individual safe, and the facebook community is quite security inept.

The thing that annoys me is people who seem to think that they have a right to keep a photo from appearing online just because they appear in it. It's not like the person went into your house, pulled out your photo album and uploaded those photos. If you don't want to appear in a photo a person may or may not put online, don't go out in public. It's as simple as that

Facebook App Exposes Abject Insecurity

[Dogtanian]

Yeah, I've noticed that this "Facebook" app exposes an abject insecurity.

Namely that of the users who seem to be obsessed with their not appearing popular enough, and adding as many "friends" as they can.

Privacy is simple

[verbatim]

Don't publish/post anything that you wouldn't want made public.

Simple enough, people? Seriously.

Grow. The. Fuck. Up. Stop being retarded, paranoid jackasses. Facebook, et.al., are out to make MONEY. That means collecting information, data, digesting it in some way, and then selling that information to advertisers/perverts/your mom/etc.

I just don't get why people are up in arms about "privacy" on a public website, even one with "private" areas. I mean, it's kind of interesting how people will put personal information on a public website and then build virtual walls around it to keep other people out.

Are you so embarrassed by your circle of friends/family that you really don't want other people to know?

Do you really think that you are such an interesting fucking nobody that everyone in the whole goddamn universe wants to know everything about you?

You are one nobody among a collective of nobodies. Deal. :)

Re:Privacy is simple

[gbjbaanb]

I suppose the problem is one of trust - Facebook says "set your privacy controls and you'll be safe", and some people believe this! Not everyone is educated about the internet, they treat it as they would other people, not realising its totally different. These people use Facebook.

Re:Privacy is simple

[notamedic]

Facebook is incredibly popular and the start of your third paragraph shows that (aside from an inability to stop swearing) you can't comprehend what the general non-geeky public want from the internet. Social relationships are complicated - how you interact with your friends and what they know about you may not be the same for your family and for your work colleagues.

I'm not a big fan of facebook, but the people who use pejorative terms to dismiss it obviously don't understand it.

Re:Privacy is simple

[pnattress]

It's perfectly possible to set privacy settings on Facebook for applications as well as friends. You can control the information other friend's applications can see. (Settings -> Privacy -> Applications). It's not heavily advertised, because if everyone hid all their info it would devalue their API somewhat, but it's definitely there.

Re:Privacy is simple

[Seumas]

I think you have missed the entire fucking point of Facebook. Facebook is not about blathering your shit to every fucking moron on earth and acquiring as many "friends" as possible, but about communicating and keeping up with a select group of people that you have chosen to communicate with. For example, colleagues, family, and close friends.

I don't give a fuck about you or what you have to say day in an day out, but your mom might. Or your school chums. Or your best friend at the office. And since Facebook allows you to restrict your interactions to just these chosen people, you have a right to expect your communication to remain between those designated individuals.

You know, sort of the same way the telephone company is a commercial enterprise, but you have a reasonable expectation for your conversations to remain private. Or do you consider talking on the telephone to be blathering to the "whole goddamn universe", too?

Unfortunately, just like your mom probably is more prone to getting a virus on her Windows machine than you are, she's probably more likely to use a "what color are you?" facebook application and thereby put you at risk of exposure.

Again, it is simply disingenuous to trash people as being idiots for using services where security is inherently implied (and options to protect it are right there in the user preferences -- even though they appear not to be adhered to in this demonstration).

That doesn't mean you should share your most private secrets on earth anywhere online that is connected with your real identity. It just means that you shouldn't have to worry that your every piece of information is being sold out from under you when you thought it was just between yourself and the people in your circle. And if you have this attitude that you should *EXPECT* that from Facebook, then you should have that same attitude toward every institution you deal with from the place you bought your car, to your electric, phone, cable companies and medical providers. After all, if your bank's databases are cracked and the data stolen and sold out from under you, it's YOUR fault for being stupid enough to give your financial information to your financial institution, right?

Also, as much as I hate Twitter and Facebook and all these things (though I like LinkedIN), you at the very least are often obligated to sign up so that you can protect your identity from being used by someone *else*. And as much as I hate attention-whores, even they deserve an expectation of a certain degree of privacy in situations where that privacy is implied.

Yes, ordinary people are stupid regarding privacy

[RIpRapRob]

But here is what Facebook tells their users:

Facebook Principles

...

We understand you may not want everyone in the world to have the information you share on Facebook; that is why we give you control of your information.

...

Facebook follows two core principles:

1. You should have control over your personal information.

Yeah, there is a lot of 'small print' too, but why wouldn't the average user expect the information they put on Facebook to be private, unless they change some (default) setting?

Facebook/Firefox fail

[Animats]

That Facebook quiz page puts Firefox 3.5 into a loop at:
"Script: file:///D:/Program Files/Mozilla Firefox/modules/XPCOMUtils.jsm:260"

FAIL.

Re:Yes, ordinary people are stupid regarding priva

[RIpRapRob]

No, "Private" as in "only friends I have chosen to share information with", not as in "and every application that they are stupid enough to install".

And you are missing the point

No one is "feeding the information" to an application. The application is sucking the information without anyone being aware of it.

The solution it simple:

Whenever one of my friends grants an application access to my data, Facebook should ask me:

"You have chosen NOT to share information with applications on Facebook. Your friend XYZ has now granted Application APP1 access to your profile. What would you like to do now?

[ALLOW]---[BLOCK APP1 ACCESS TO YOUR PROFILE]---[REMOVE XYZ FROM FRIEND LIST]"

Re:Tracy sure didn't get it...

Tracy's account was hacked by 4chan.

4chan hacked a christian dating site, and got a list of details and passwords contained on it's servers in plaintext. Not sure of the details (whether the users of the site just had the same passwords for that and facebook or if some other step was involved), but they used this to gain access to hundreds of facebook accounts.

They then proceeded to do their typical 4chan thing and post fake messages, porn, goatse, "coming out" messages etc. on all the compromised accounts. This was one of them.

Don't blame Tracy. She didn't post that.

Blame the Christian dating site for insecurity.

Blame 4chan for being 4chan.