Slashdot Mirror
Facebook Caught Exposing Millions of Credentials
fysdt writes "Facebook has leaked photographs, profiles and other personal information for millions of its users because of a years-old bug that overrides individual privacy settings, researchers from Symantec said. The flaw, which the researchers estimate has affected hundreds of thousands of applications, exposed user access tokens to advertisers and others. The tokens serve as a spare set of keys that Facebook apps use to perform certain actions on behalf of the user, such as posting messages to a Facebook wall or sending RSVP replies to invitations. For years, many apps that rely on an older form of user authentication turned over these keys to third parties, giving them the ability to access information users specifically designated as off limits."
There should be a law requiring a fine for each user who's personal information is compromised as a result of bugs like this. My bet is that if there were, this type of thing would happen far less often. Of course, Facebook isn't the only company guilty of this type of thing -- and I suspect that until there is some serious consequence associated with this type of security hole, most companies won't take it seriously enough.
Facts have a liberal bias.
Researchers note that they would have released this study much sooner, but their PCs were hamstrung by Norton Internet Security.
Humor from a Genetically Molested Mind
These types of errors are bound to keep happening. Software is to large to find and fix everything. Not saying that it is right, or developers should give up, or software should generally be more secure than it is. But maybe we as users should keep this in mind when we put anything up on the Internet. Especially when dealing with sites like facebook.
More likely, they don't care.
The few that do expect privacy will see this, have a momentary sense of outrage, and then forget about it.
They'll continue to use facebook because they're really not all that concerned about their privacy. At most Facebook may make a statement about how they're continually improving security, and then it will be business as usual.
Working as intended
I don't have any facebook apps installed. not a one.
I don't answer any surveys or take any polls.
I painstakingly go through every privacy setting and set to "friends only".
I post as little truly personal information as possible. No phone number, no address, no high school, college, or place of current employment, none of it.
and I'm still pretty sure that facebook has still somehow probably derived all of my info down to my underwear color, porn preferences, and whether I ate lucky charms for dinner last night, and sold that to advertisers.
Somebody needs to take a refresher course in "What is this 'news" thing, anyway?" Something that happens with utter predictability and regularity, like a dog biting a man, is never really news. But if a man were to bite a dog, or Facebook was caught protecting user information, then that would be news.
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
to make a self-righteous post about how you don't use Facebook, and anyone who does is stupid.
The Zen way. You stand by instead of using it, and watch with compassion how the rest of humanity does something really stupid.
I thought we wanted to fix the problem.
I use Facebook to keep in touch with patients and other health care professionals (chiropractors, homeopaths, acupuncturists, etc.)
Let me fix that for you ....
I use Facebook to keep in touch with patients and other quacks and dispensers of expensive placebos that have absolutely no scientific evidence to back their efficacy (chiropractors, homeopaths, acupuncturists, etc.)
There you go ....
The other side of the basement is neither, and, let's face it, you aren't going to climb the stairs over this.
FB is overrated anyway. And waay too many people use it as if it were their Twitter account.
The big downside to Facebook around here is that it requires friends.
"I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
You are trolling right?
Chiropractors, homeopaths, acupuncturists, etc are "health care professionals" while science is quackery "vaccine pushers, big pharma, etc".
Ditto. No apps, no invites, no surveys, I ignore those stupid "Someone answered a question about you" yada yada yada. Half my personal data is false, the other half misleading. And, I still don't really expect privacy. Like yourself, I'm sure Facebook has sold everything that's on my page, and knows who I am based on the people I know. Phhht.
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
I find this wrong (obviously), but at least in my personal case, I assume that everything I ever put on FB is there for the entire world to see, regardless of my own privacy settings.
I care about my privacy...I just don't see Facebook as even remotely "private"
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Treat it as if it is a giant billboard hovering above the earth that every single human being on the planet can see and read.
I use FB to keep up with a large number of poeple scattered around the globe that I gave a shit about. It is a casual way to be a part of the life of people I care about that I can't be close to.
I don't post pictures, play games, use apps, say stupid shit about my boss/employer, etc. People that do deserve to have their personal shit posted around the globe.
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Until people get bitten by personal information being leaked to the wrong people, they will not care about their privacy. If your private photos get leaked to your employer and there are allusions or consequences that embarrass you, you might get mad enough about it to stop using the service. If they get leaked to faceless corporations that will crunch the data to suck as much money as possible out of you and your friends with targeted advertising, the connection is fuzzy, remote, indirect, and it is unlikely you will care at all. For 99.99% of people, the lack of privacy will have no effect they can relate to their use of the service. The remainder might get into trouble, but 0.01% of users has no pull. And if the whole of society was to get into trouble because of things like this getting out of hand, the responsibility will be diluted among everyone - ergo, still, nobody cares.
In short, people care about their privacy versus the core of people they interact with or might interact with in the future. Outside of that core, their information might be distributed on flyers in the streets of Bangkok for all they care. At best they will be momentarily disturbed by the thought.
Ha, if you post anything to Facebook that you wouldn't post on your old skool Geocities public website or whatever, then you fail the internets.
People look at Zuckerberg like he's some kind of freak that doesn't respect privacy. And he's looking back at a whole bunch of people complaining that the stuff that they posted on the internet... is out on the internet.
If you really want to share something secret, use hushmail or something. Facebook, OTOH, is all about syndication... letting your personal thoughts and habits reach as many people as possible... people who wouldn't have given a rat's ass about what you were saying or doing otherwise. If your information is reaching a wide audience, then you're WINNING :-D
I'd like to make a new service called Twatter. That way, when you send out a messages, your Twatting, and an individual message is a Twat.
The world's burning. Moped Jesus spotted on I50. Details at 11.
I assume Facebook is being back-doored by the feds, assume they sell information to advertisers, so the only difference here is that it was unintentional. So I keep my FB profile loaded with inaccurate, out of date information. Just seems like the best way to hide a tree is in a forest of misleading information.
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
Facebook staff have been amazed to discover that when Facebook passes users' complete details to application developers and advertisers like candy, some of the partner companies might accidentally let slip the information in some manner.
"We are appalled at this information leak," said Facebook founder Mark Zuckerberg as he took a break from his personal RSS feed of drunk women's tits posted to his service. "But I can assure you that we have sternly suggested to everyone involved that they take somewhat greater care not to get caught, and maintain a serious demeanor when rolling around in the great big pit filled with money in their basement."
"I'm horrified and outraged," said office worker Brenda Busybody, 43 (IQ), "that stuff I put on the Internet is on the Internet. It violates everything I expect. I want privacy when I'm calling my boss a useless fuckstick to the entire world, all my coworkers and my boss himself. And when I'm playing a bit of FarmVille before we nick off down the pub."
Privacy advocates are working on Diaspora, a security-enhanced social network so far populated by Linux users who cryptographically sign every update about which episode of Babylon 5 they just finished watching alone in their parents' basement. "START PGP KEY BLOCK!" said open source software advocate Hiram Nerdboy, 17. "WE WILL PROTECT YOUR FREEDOMS!" The next version of Diaspora will allow users to list more than three friends, should there be any demand whatsoever for such a feature.
Facebook works on the now-standard "Web 2.0” business model: 1. Brutally sodomise the personal privacy of anyone who comes within a mile of your service and say "hey baby, I'm sorry" every time you're busted. 2. Sell ads.
http://rocknerd.co.uk
I feel like we have this exact same conversation every time Facebook is mentioned. It would be really interesting to cross section the first 10 posts of every Facebook related submissions.
Infrastructures
Hey guys - I work on the Dev Relations team at Facebook. We appreciate Symantec raising this issue and we worked with them to address it immediately as the article mentioned. Unfortunately, their resulting report has some inaccuracies. Specifically, we've conducted a thorough investigation which revealed no evidence of this issue resulting in a user's private information being shared with unauthorized third parties. In addition, this report ignores the contractual obligations of advertisers and developers which prohibit them from sharing user information in a way that violates our policies. Lastly, the change we announced today on our developer blog (https://developers.facebook.com/blog/post/497) removes the outdated API referred to in Symantec's report.