Slashdot Mirror
Facebook Connect Exposes Hulu User Data
An anonymous reader writes "Over the weekend, Hulu rolled out Facebook Connect integration. Almost immediately after launch, Hulu had to pull the feature as the company discovered a technical issue affecting a limited number of users. More specifically, some users weren't seeing their own Hulu account information upon login, but someone else's."
The company has admitted that the flaw was the result of a coding and configuration error on Hulu’s side. The company has denied that the issue is the result of hacking, other third party actions, or a vulnerability in Facebook Connect.
"Hulu exposes user data on Facebook Connect"
Because you have good karma and contribute enough to slashdot. It's a gift.
WTF am I doing replying to an AC at 5 A.M on a Friday night?
The good old static variables (or class variables in a singleton) causing a network application to leak data between sessions.
Doesn't generally show up in most testing as that's generally done by one tester at a time.
Relatively innocent to do and relatively major crap-storm that follows because one programmer accidentally used the wrong variable scope for probably 1 or a few variables.
This is why it worries me that Facebook is increasingly becoming a sort of ID badge for the internet--many blogs, for example, now support Facebook Connect as the primary (or only!) way to comment; social networking games (even ones living outside of Facebook) urge or even force users to connect their accounts, etc.
What control do I retain over my own information? For some sites, sure, it's useful to be able to authenticate my login info with one click (assuming my Facebook is logged in) and it's nice to have a populated friends list for applications such as online games so I know who I can play with, but for some sites (Hulu included), I don't want to give my name, profile picture, and friends list up.
I use a different, strong password for all of my accounts online, so a website I visit being compromised by hackers doesn't concern me much, but if a flaw in implementation of the Facebook Connect API can leak any information that Facebook gives them out to other people (and potentially out to hackers), I could be facing some serious issues.
A name and friend list forms a unique thumbprint for my identity that can contribute to identity theft. Hell, I have even seen Facebook hacks that clone your profile and friend your entire friends list--sort of the reverse of having your profile hacked and having to create a new one.
Bottom line: Facebook has information that I barely trust Facebook to handle, much less other websites, and the use of the Facebook Connect API by a site can have dangerous consequences for its users.
Ah. All I do is post polarizing inflamatory crap (usually because I legitimately AM one of the extremists that lends legitimacy to the middle ground) about stuff I have very little expertise in and I always get modded +5 Insightful! Not to say I troll, per se, I just don't pretend to be mindful and consciencious of others' belifs and sensibilities. I'm just your average internet egomaniac! :D
Admit it. You post strawman arguments as AC so you get modded Insightful for refuting them, rather than Troll
Do you always get the red headlines? I do every once in a while and I've never subscribed. I'm also able to diable ads. Didn't even realize that was a subscriber thing.
Did your girlfriend type that? You're supposed to think that you're infallible and incredibly awesome, never capable of being wrong.
would you expect a boring and conciliatory centrist to generate enough interest to get voted up?
Snowden and Manning are heroes.
I disagree with your statement.
No, but I've found a lot of people who do nothing but voice the popular sentiment to get modded "Informative" or "Insightful," when it's quite plainly neither - especially when it's the third or fourth time it's been said.
Canada: The US's more awesome sibling.
Saw something like that a while back at another company. Their auth code was essentially all static. Worked great for one user. I wonder if it was the same sort of problem. That'd be pretty funny. Whenever I see users getting other users' credentials, that's immediately what I think now.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
"More specifically, some users weren't seeing their own Hulu account information upon login, but someone else's.""
Now we know why it was code named "Russian Roulette".
I don't know where to begin. One could first argue that Slashdotters have no girlfriends, and therefore no girlfriend could have typed that. On the other hand, one could also argue that women don't read Slashdot, only lonely men and FBI agents posing as women. The order of these arguments matters, because this is Slashdot, and one of the rules is that you have to put in second place the stronger argument that makes your first argument a pointless waste of keystrokes.
Wait, this is Slashdot—am I being trolled?
I will never put everything in one basket. I don't even have a Facebook account since they kicked me off for fake/false datas.
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
This sort of thing rarely happens when people are coding for free. Check for security advisories in web frameworks like Drupal, WordPress or Joomla; they're usually about things breaking under comically unlikely circumstances. These companies have the money to pay people for testing and QA; shouldn't they reach at least the quality level of FOSS?
While I don't use FB for the reasons you lay out, I think the situation is not yet as bad as you portray it. I've canceled my Fuckbook account years ago and have no troubles logging into any web forums, etc.
I'd be generally more worried about the general tendency to regulate the Internet and turn it into an interactive TV network. The big companies certainly want that, as long as they get their share of the cake, and many governments nowadays seem to be sympathetic to the idea. This "vision" of the future of the Net is mainly enforced by "intellectual property" laws, primarily by software patents. As long as you do not have success with a new idea on the Net you won't have any problem. However, when Fuckbook, Foogle, Bad Apple, Micro$oft, etc. see some potential in your technology, they will likely (if you refuse their "friendly offers") sue you into oblivion for having served structured documents from a remote server or using windows with round edges.
Get rid of software patents and Fuckbook et. al. will only ever be a problem for their users.
I say: the boundless years,evening dresses on sale you are in my heart wedding dresses online shop. The night the mist cleared,cheap cocktail dressess in my mind only you in the shadow of the wandering. I say: TuiJin cheap prom gowns, I still wireless on the other shore protect you cheap evening dress. First month circle,wholesale evening dresses and saw a full moon. The stars of the mysterious appearance more let us close cheap uk wedding dresses. A for the future is like the stars as far as the haze still want to reality? I pointed to a star in the sky designer wedding gown, after you left,designer wedding dresses that is me. Can still with you cheap designer dresses. I say: if you have not back, I also did not go prom dresses on sale. Filar silk drizzle,cheap prom dresses 2011 wet my heart can my mood,beach wedding dresses because you clear. Red is the flame of youth, but it red my confusion, let me put the fire of youth point. Green is the life flap about discount evening dresses, but it green my sadness, let me put the beautiful treasure. Blue is the dream of the symphony, but it blue my sadness,discount wedding gowns let my dreams with romance to think about. Life is a bridge of friendship, but it is carrying the quality of friendship,cheap plus size wedding dresses from now on a many blessings and meet her.
I don't care who's fault it was. I use facebook to find old friends.... then email them.
appears in the last paragraph.
"The social experience on Hulu is being funded by two of the company’s partners: Coors Light and Microsoft. Interestingly, the latter is using its Bing brand to provide a free one month Hulu Plus subscription to users who make the decision to “go social” by signing up for Facebook on Hulu. Microsoft and Facebook have been long-time partners since October 2007. "
Microsoft + Facebook....what could POSSIBLY go wrong?
Please fix the misleading title.
No, Facebook is not Java at all. Facebook runs fine if you do not even have Java installed on the machine, or do not have permissions to run Java. If it doesn't run when you select that option, I suspect your router is filtering more than just Java applets.
My router has security options for for filtering the following:
---
1.) Filter JAVA applets
2.) Filter Cookies
3.) Filter Proxy
4.) Filter ActiveX
---
* The strange part is, that when I turn off #1 from the enumerated list above? I can then see the entirety of Facebook pages... but, only then!
(Hence, my "hypothesis/theory"... I take it on faith you're correct here though - I will have to look deeper into this than that (e.g. -> Look @ the page's HTML & such, perhaps do some reading about FaceBook etc./et al, rather than "making assumptions" here on my end))
APK
P.S.=> Again: Thank you for your time in answering though! NOW, I am truly, "genuinely curious" & I will "get to the bottom of this" tonite - because it surely looked the way I guessed it was based solely on that though...
... apk
Although I agree FB has way to much info and power with the connect api, I would like to say, we are still human and we humans can make mistakes. The point is that Hulu shut it down real fast. I have so many PWs in my head running a computer shop with in house network. I can see a very simple and dumb mistake like this but they saw it and stopped it. That's the point here. Now, I just go back to lurking... Someday, Google+ will kill we all hope