Slashdot Mirror

← Back to Stories (view on slashdot.org)

Facebook Connect Exposes Hulu User Data

Posted by samzenpus on from the eyes-on-your-own-account dept.

An anonymous reader writes "Over the weekend, Hulu rolled out Facebook Connect integration. Almost immediately after launch, Hulu had to pull the feature as the company discovered a technical issue affecting a limited number of users. More specifically, some users weren't seeing their own Hulu account information upon login, but someone else's."

9 of 60 comments (clear)

  1. Hulu's problem by cgeys · · Score: 5, Interesting
    Nice how to the title tries to imply that it is Facebook's fault when in fact it's only bad coding from Hulu's side. They even admit it:

    The company has admitted that the flaw was the result of a coding and configuration error on Hulu’s side. The company has denied that the issue is the result of hacking, other third party actions, or a vulnerability in Facebook Connect.

    1. Re:Hulu's problem by SlappyBastard · · Score: 4, Insightful

      Good PR: the cure to shitty coding.

      --
      I scream. You scream. I assume that means we're both acquainted with the problem. We proceed.
    2. Re:Hulu's problem by RoFLKOPTr · · Score: 4, Insightful

      Good PR: the cure to shitty coding.

      You seem to be implying that Hulu is dancing around the fact that they fucked up when they clearly admitted that they fucked up.

    3. Re:Hulu's problem by Co0Ps · · Score: 3, Funny

      Probably some script-monkey who wrote:

      // Get account to connect with facebook.
      SELECT * FROM `accounts` WHERE first_name = $facebook_first_name LIMIT 1

  2. The title should be by cranil · · Score: 5, Insightful

    "Hulu exposes user data on Facebook Connect"

  3. Facebook as an "Identification Badge" by raving+griff · · Score: 4, Insightful

    This is why it worries me that Facebook is increasingly becoming a sort of ID badge for the internet--many blogs, for example, now support Facebook Connect as the primary (or only!) way to comment; social networking games (even ones living outside of Facebook) urge or even force users to connect their accounts, etc.

    What control do I retain over my own information? For some sites, sure, it's useful to be able to authenticate my login info with one click (assuming my Facebook is logged in) and it's nice to have a populated friends list for applications such as online games so I know who I can play with, but for some sites (Hulu included), I don't want to give my name, profile picture, and friends list up.

    I use a different, strong password for all of my accounts online, so a website I visit being compromised by hackers doesn't concern me much, but if a flaw in implementation of the Facebook Connect API can leak any information that Facebook gives them out to other people (and potentially out to hackers), I could be facing some serious issues.

    A name and friend list forms a unique thumbprint for my identity that can contribute to identity theft. Hell, I have even seen Facebook hacks that clone your profile and friend your entire friends list--sort of the reverse of having your profile hacked and having to create a new one.

    Bottom line: Facebook has information that I barely trust Facebook to handle, much less other websites, and the use of the Facebook Connect API by a site can have dangerous consequences for its users.

    1. Re:Facebook as an "Identification Badge" by GrumblyStuff · · Score: 3, Insightful

      Don't worry. Google+ will take care of everything.

      (I jest but it would be unwise to ignore the lessons of current predicaments.)

    2. Re:Facebook as an "Identification Badge" by Anonymous Coward · · Score: 3, Insightful

      Not that I think Google+ is going to succeed, but isn't Google an OpenID provider?

      So is facebook.

      I would prefer that both were also OpenID consumers (or whatever the heck that is called these days) instead.

  4. Re:Ahh that old bug by JWSmythe · · Score: 4, Interesting

        I had a friend who had a problem just like that. What had happened in that case was this... Each user was given a session cookie, using functionality included with the language (an older version of ColdFusion). The cookies were a pseudo random number. It was all fine and dandy with just a few users on, there was very little chance of collision.

        When it was introduced to the real world, you didn't just have one or two people on, you had thousands of simultaneous users. Beyond that, the sessions had a relatively long TTL (a few hours, if I remember right).

        Well, User A logs in, does their stuff, and then leaves. No problem. They could have even hit the logout button, but CF didn't properly ditch the session. When User X (someone down the line) came in, they were issued the *same* session cookie. It didn't validate anything. It didn't care what your IP, username, or anything were. So when they reached part of the site dependent on the session cookies, their credentials tied in with User A's session, not theirs.

        Needless to say, the users were not entertained.

        Beyond that, I demonstrated that with a little bit of cookie manipulation, you could access any account that was recently active. I did it with just changing a few things to arbitrary values, and accessed someone else's account. I then had *them* go to the site and log in. They then read me off their cookie information, and I modified my cookie to match. Voila, I'm them.

        They weren't very happy. There was a period of about 10 minutes, where there was some colorful language used. They finally went to work writing their own cookie routine, so they wouldn't have the risk of these collisions any more.

        With the load that Facebook can throw at a site, I'm sure there's a huge risk of collisions. Not ever user would have the luxury, but enough would to make it an issue. Someone should have seen it coming and dealt with it, but obviously it wasn't handled properly.

       

    --
    Serious? Seriousness is well above my pay grade.