Slashdot Mirror
Facebook Caught Exposing Millions of Credentials
fysdt writes "Facebook has leaked photographs, profiles and other personal information for millions of its users because of a years-old bug that overrides individual privacy settings, researchers from Symantec said. The flaw, which the researchers estimate has affected hundreds of thousands of applications, exposed user access tokens to advertisers and others. The tokens serve as a spare set of keys that Facebook apps use to perform certain actions on behalf of the user, such as posting messages to a Facebook wall or sending RSVP replies to invitations. For years, many apps that rely on an older form of user authentication turned over these keys to third parties, giving them the ability to access information users specifically designated as off limits."
... so isn't this kind of a 'well duh' moment?
"I use a Mac because I'm just better than you are."
Are you sure you want to unfriend Mark Zuckerberg? (Yes/No)
I was forced to log back into my Facebook account on my phone out of the blue last Friday. Perhaps that was them revoking access to all the old offline tokens?
There's a reason there is no "Disagree" mod...
FB is overrated anyway. And waay too many people use it as if it were their Twitter account.
Look back up at my post, now look back down, you're on the Internet. Now look back up. I'm a signature.
There should be a law requiring a fine for each user who's personal information is compromised as a result of bugs like this. My bet is that if there were, this type of thing would happen far less often. Of course, Facebook isn't the only company guilty of this type of thing -- and I suspect that until there is some serious consequence associated with this type of security hole, most companies won't take it seriously enough.
Facts have a liberal bias.
Get thee to Congress and testify!
Researchers note that they would have released this study much sooner, but their PCs were hamstrung by Norton Internet Security.
Humor from a Genetically Molested Mind
These types of errors are bound to keep happening. Software is to large to find and fix everything. Not saying that it is right, or developers should give up, or software should generally be more secure than it is. But maybe we as users should keep this in mind when we put anything up on the Internet. Especially when dealing with sites like facebook.
Working as intended
Somebody needs to take a refresher course in "What is this 'news" thing, anyway?" Something that happens with utter predictability and regularity, like a dog biting a man, is never really news. But if a man were to bite a dog, or Facebook was caught protecting user information, then that would be news.
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
No? must be anon, it was an impossible to thwart attack, the 13 year olds are to blame not facebook.
to make a self-righteous post about how you don't use Facebook, and anyone who does is stupid.
Your writing style will get you tracked. I remember when trolling a few years ago that someone guessed what ISP I was using.due to cross checks on multiple sites. If you are alive, your atoms will be tracked.
Watch out when Copyright Superclick comes into law. By that I mean the various forms of the laws that would make streaming/accessing/viewing anything not the authorized source into a crime.
I am floating the proposal that we make personal information just as prickly as copyrighted work. Then if Z had to pay $875,000 per shared profile times 20 million profiles he would wake up.
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
I assume Facebook is being back-doored by the feds, assume they sell information to advertisers, so the only difference here is that it was unintentional. So I keep my FB profile loaded with inaccurate, out of date information. Just seems like the best way to hide a tree is in a forest of misleading information.
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
You should have no reasonable expectation of privacy when posting ANYTHING to a social networking website.
Facebook staff have been amazed to discover that when Facebook passes users' complete details to application developers and advertisers like candy, some of the partner companies might accidentally let slip the information in some manner.
"We are appalled at this information leak," said Facebook founder Mark Zuckerberg as he took a break from his personal RSS feed of drunk women's tits posted to his service. "But I can assure you that we have sternly suggested to everyone involved that they take somewhat greater care not to get caught, and maintain a serious demeanor when rolling around in the great big pit filled with money in their basement."
"I'm horrified and outraged," said office worker Brenda Busybody, 43 (IQ), "that stuff I put on the Internet is on the Internet. It violates everything I expect. I want privacy when I'm calling my boss a useless fuckstick to the entire world, all my coworkers and my boss himself. And when I'm playing a bit of FarmVille before we nick off down the pub."
Privacy advocates are working on Diaspora, a security-enhanced social network so far populated by Linux users who cryptographically sign every update about which episode of Babylon 5 they just finished watching alone in their parents' basement. "START PGP KEY BLOCK!" said open source software advocate Hiram Nerdboy, 17. "WE WILL PROTECT YOUR FREEDOMS!" The next version of Diaspora will allow users to list more than three friends, should there be any demand whatsoever for such a feature.
Facebook works on the now-standard "Web 2.0” business model: 1. Brutally sodomise the personal privacy of anyone who comes within a mile of your service and say "hey baby, I'm sorry" every time you're busted. 2. Sell ads.
http://rocknerd.co.uk
He's worse than an incubus.
He's a fucking suit.
And he doesn't have nearly enough facial scars. Someone needs to get working on that.
Throughout history, we have given a wide berth to those who have made great leaps in technology. This is nothing compared with the railroads' liberties with property and human lives, same goes for mechanized automation, commercial shipping, and, of course, weaponry. We are entitled to get all verklempt over these things, but the world moves on anyway. Just feel lucky if you have not (yet) been crushed under the wheels of progress.
BTW, there is a benefit to falsifying everything about yourself on your Facebook page.
to make a self-righteous post about how you don't use Windows, and anyone who does is stupid.
The lions. I beard them.
Infrastructures
Isn't Facebook's entire valuation based on violating user privacy? The ad piece of the business probably pales in comparison to being able to "accidentally" expose thoroughly mined and indexed personal information. It is probably the same thing for Zygna, the world's highest grossing "GAME" company, slowly recycling Pavlov's finest experiments.
--WooooHoooo--
Why are they responsible? They are a company and they want to make money. Which is reasonable me thinks.
You choose to use the services of FB and the likes. So you are responsible. You are responsible for the choices you make in life.
If you care about your privacy, then stop putting all your personal information on somebody else's website.
Facebook works on the now-standard "Web 2.0" business model: 1. Brutally sodomise the personal privacy of anyone who comes within a mile of your service and say "hey baby, I'm sorry" every time you're busted. 2. Sell ads.
If that's the new "standard", than this world is screwed up badly.
And I refuse to go along.
Go to Facebook -> Account -> Apps and Web Sites -> Edit Your Settings ->Apps You Use -> Turn Off Platform Apps.
Even that doesn't stop everything. Go to Account-> Privacy Settings -> Block LIsts. This is where you see the list of apps you've blocked from contacting you when run by others. But you can't actually block anything from there. You have to find the Facebook page of the annoying app (for example, FarmVille) and then click on "Block App". Now, no more annoying Farmville messages. You may also have to find "Zynga's Players Community" and block that, too. Also, for Foursquare, you need to block both Foursquare and Foursquare Badges.
Yes, you have to do all this just to block the companies whose apps have the intrusion level of an anal probe.
Hey guys - I work on the Dev Relations team at Facebook. We appreciate Symantec raising this issue and we worked with them to address it immediately as the article mentioned. Unfortunately, their resulting report has some inaccuracies. Specifically, we've conducted a thorough investigation which revealed no evidence of this issue resulting in a user's private information being shared with unauthorized third parties. In addition, this report ignores the contractual obligations of advertisers and developers which prohibit them from sharing user information in a way that violates our policies. Lastly, the change we announced today on our developer blog (https://developers.facebook.com/blog/post/497) removes the outdated API referred to in Symantec's report.
Average Joe/Jane won't read it, and even if they do they'll think it's bullshit, or they will say that they don't have anything to hide on the Interwebz.
Post it and mark it as "private". Then everyone should be able to see it.
Well, I might have a way, but it only works on a semi spherical planet in a vacuum.
I don't put anything on a site like Facebook, Twitter or myspace even here that would bother me if it got out. I don't pay to use them so i expect hiccups and bug and hacks often. No if it was something like my evernote account which i pay for I would have pitchfork in hand ready to crucify their CTO & CEO for me research or personal info getting out.