Slashdot Mirror
Facebook Caught Exposing Millions of Credentials
fysdt writes "Facebook has leaked photographs, profiles and other personal information for millions of its users because of a years-old bug that overrides individual privacy settings, researchers from Symantec said. The flaw, which the researchers estimate has affected hundreds of thousands of applications, exposed user access tokens to advertisers and others. The tokens serve as a spare set of keys that Facebook apps use to perform certain actions on behalf of the user, such as posting messages to a Facebook wall or sending RSVP replies to invitations. For years, many apps that rely on an older form of user authentication turned over these keys to third parties, giving them the ability to access information users specifically designated as off limits."
... so isn't this kind of a 'well duh' moment?
"I use a Mac because I'm just better than you are."
Are you sure you want to unfriend Mark Zuckerberg? (Yes/No)
I was forced to log back into my Facebook account on my phone out of the blue last Friday. Perhaps that was them revoking access to all the old offline tokens?
There's a reason there is no "Disagree" mod...
FB is overrated anyway. And waay too many people use it as if it were their Twitter account.
Look back up at my post, now look back down, you're on the Internet. Now look back up. I'm a signature.
There should be a law requiring a fine for each user who's personal information is compromised as a result of bugs like this. My bet is that if there were, this type of thing would happen far less often. Of course, Facebook isn't the only company guilty of this type of thing -- and I suspect that until there is some serious consequence associated with this type of security hole, most companies won't take it seriously enough.
Facts have a liberal bias.
Are they still implementing it in PHP?
It's really just that simple. Even better, don't be on Facebook at all.
Get thee to Congress and testify!
Researchers note that they would have released this study much sooner, but their PCs were hamstrung by Norton Internet Security.
Humor from a Genetically Molested Mind
These types of errors are bound to keep happening. Software is to large to find and fix everything. Not saying that it is right, or developers should give up, or software should generally be more secure than it is. But maybe we as users should keep this in mind when we put anything up on the Internet. Especially when dealing with sites like facebook.
What if Zuckerberg was affected too? Could we then say that he exposed himself?
WHY do people continually seem surprised by these sorts of things? It's Facebook. This is their M.O. "Accidentally" leak millions of users' worth of data once every 6 months or so, a handful of people (and all of Slashdot) wring their hands, and the millions of morons who don't care keep on using it without even noticing.
Working as intended
Maybe they should be fined, maybe this was grossly negligent, I'm not arguing that one way or the other.
But caught definitely implies the exposure of some deliberate action on their part. Neither the article nor the summary accuse them of anything like that, so what gives?
Somebody needs to take a refresher course in "What is this 'news" thing, anyway?" Something that happens with utter predictability and regularity, like a dog biting a man, is never really news. But if a man were to bite a dog, or Facebook was caught protecting user information, then that would be news.
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
No? must be anon, it was an impossible to thwart attack, the 13 year olds are to blame not facebook.
to make a self-righteous post about how you don't use Facebook, and anyone who does is stupid.
Your writing style will get you tracked. I remember when trolling a few years ago that someone guessed what ISP I was using.due to cross checks on multiple sites. If you are alive, your atoms will be tracked.
Watch out when Copyright Superclick comes into law. By that I mean the various forms of the laws that would make streaming/accessing/viewing anything not the authorized source into a crime.
I am floating the proposal that we make personal information just as prickly as copyrighted work. Then if Z had to pay $875,000 per shared profile times 20 million profiles he would wake up.
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
Is anyone surprised about this? Omniscience is more than just a fantasy now, isn't it?
I assume Facebook is being back-doored by the feds, assume they sell information to advertisers, so the only difference here is that it was unintentional. So I keep my FB profile loaded with inaccurate, out of date information. Just seems like the best way to hide a tree is in a forest of misleading information.
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
I'm still not worried. I still haven't logged back into FaceBook after having tried it a few months ago. I know it's not for lack of trying; but FaceBook hasn't made itself essential.
Apple and FaceBook are both employing coupons to lure us in. This is their best shot. If they succeed, it become a "privacy tax" on those of us who don't participate. Participants step forward in terms of coupon savings. You effectively step back.
I don't derive any intrinsic pleasure from what the iPhone or FaceBook have to offer. Thus, I can simply "do the math" as a simple "what's my privacy and security worth" sort of equation. The SafeWay club card eventually got me on this. 30% off on some items that I actually need.
So there you go, Jobs and/or Zuckerberg. There really isn't that much I buy online. I buy clothing, the occasional Christmas gift. It's not a huge portion of my budget. My Honda might not be worth fixing in 10 years. If you can get me 30% off on a new one, I'll consider signing back in.
You should have no reasonable expectation of privacy when posting ANYTHING to a social networking website.
Am I the only one that read this as "Facebook Caught Exposing Itself"?
The world's burning. Moped Jesus spotted on I50. Details at 11.
Facebook staff have been amazed to discover that when Facebook passes users' complete details to application developers and advertisers like candy, some of the partner companies might accidentally let slip the information in some manner.
"We are appalled at this information leak," said Facebook founder Mark Zuckerberg as he took a break from his personal RSS feed of drunk women's tits posted to his service. "But I can assure you that we have sternly suggested to everyone involved that they take somewhat greater care not to get caught, and maintain a serious demeanor when rolling around in the great big pit filled with money in their basement."
"I'm horrified and outraged," said office worker Brenda Busybody, 43 (IQ), "that stuff I put on the Internet is on the Internet. It violates everything I expect. I want privacy when I'm calling my boss a useless fuckstick to the entire world, all my coworkers and my boss himself. And when I'm playing a bit of FarmVille before we nick off down the pub."
Privacy advocates are working on Diaspora, a security-enhanced social network so far populated by Linux users who cryptographically sign every update about which episode of Babylon 5 they just finished watching alone in their parents' basement. "START PGP KEY BLOCK!" said open source software advocate Hiram Nerdboy, 17. "WE WILL PROTECT YOUR FREEDOMS!" The next version of Diaspora will allow users to list more than three friends, should there be any demand whatsoever for such a feature.
Facebook works on the now-standard "Web 2.0” business model: 1. Brutally sodomise the personal privacy of anyone who comes within a mile of your service and say "hey baby, I'm sorry" every time you're busted. 2. Sell ads.
http://rocknerd.co.uk
how can I share this article on facebook ?
Throughout history, we have given a wide berth to those who have made great leaps in technology. This is nothing compared with the railroads' liberties with property and human lives, same goes for mechanized automation, commercial shipping, and, of course, weaponry. We are entitled to get all verklempt over these things, but the world moves on anyway. Just feel lucky if you have not (yet) been crushed under the wheels of progress.
BTW, there is a benefit to falsifying everything about yourself on your Facebook page.
I think it is time that Mark Z and the entire FB crew be held accountable and thrown in jail for a couple of years
to make a self-righteous post about how you don't use Windows, and anyone who does is stupid.
The lions. I beard them.
Infrastructures
Isn't Facebook's entire valuation based on violating user privacy? The ad piece of the business probably pales in comparison to being able to "accidentally" expose thoroughly mined and indexed personal information. It is probably the same thing for Zygna, the world's highest grossing "GAME" company, slowly recycling Pavlov's finest experiments.
--WooooHoooo--
It's always about Fuckerberg. But what about his fellow billionaires -- we need to have our moment of hate for the other Facebook success stories too.
I did it again...and again...and again.........
Go to Facebook -> Account -> Apps and Web Sites -> Edit Your Settings ->Apps You Use -> Turn Off Platform Apps.
Even that doesn't stop everything. Go to Account-> Privacy Settings -> Block LIsts. This is where you see the list of apps you've blocked from contacting you when run by others. But you can't actually block anything from there. You have to find the Facebook page of the annoying app (for example, FarmVille) and then click on "Block App". Now, no more annoying Farmville messages. You may also have to find "Zynga's Players Community" and block that, too. Also, for Foursquare, you need to block both Foursquare and Foursquare Badges.
Yes, you have to do all this just to block the companies whose apps have the intrusion level of an anal probe.
Hey guys - I work on the Dev Relations team at Facebook. We appreciate Symantec raising this issue and we worked with them to address it immediately as the article mentioned. Unfortunately, their resulting report has some inaccuracies. Specifically, we've conducted a thorough investigation which revealed no evidence of this issue resulting in a user's private information being shared with unauthorized third parties. In addition, this report ignores the contractual obligations of advertisers and developers which prohibit them from sharing user information in a way that violates our policies. Lastly, the change we announced today on our developer blog (https://developers.facebook.com/blog/post/497) removes the outdated API referred to in Symantec's report.
I just assumed that this is what was happening when you gave an app access to your profile, which you do with all of them. That's why I don't use any apps on facebook.
Average Joe/Jane won't read it, and even if they do they'll think it's bullshit, or they will say that they don't have anything to hide on the Interwebz.
I don't put anything on a site like Facebook, Twitter or myspace even here that would bother me if it got out. I don't pay to use them so i expect hiccups and bug and hacks often. No if it was something like my evernote account which i pay for I would have pitchfork in hand ready to crucify their CTO & CEO for me research or personal info getting out.