Cheryl JFacebook: Huge security flaw.
May 6th 2008 12:39
The BBC technology program ‘Click’ has shown how vulnerable your personal information is on Facebook and how easily that information could easily be stolen.
Facebook allows users to add myriad applications to their profile. But as the BBC has shown, anyone with coding experience could potentially mine your personal info by creating a malicious program concealed as an application.
When you add an application, unless you say otherwise, it is given access to most of the information in your profile, including that of your friends regardless of their security settings. That makes you not only responsible for your own security but that of other people’s. How comfortable are you with that?
So how did the BBC uncover this security breach? First they made up a fictitious profile and set it so that most of the information was set to private and therefore supposedly not able to be seen by non-friends. Then using a couple of laptops, a BBC coder created a special application that Facebook users could add. Then he wrote a data mining application called Miner, which could masquerade as a game, a test, or a joke.
But whatever the application looks like, because it is coded with a data miner, it's running in the background collecting personal details, and those of the users' friends.The program they wrote did just that and then emailed the mined information from Facebook back to the BBC inbox.
It took them less than three hours to create, add and successfully mine the data on the fake profile. Although they didn’t manage to get all of the information, they got enough – name, hometown, school, interests and photo – to be used for identity theft purposes. And apparently anyone with a basic understanding of web programming can write these applications.
Now the BBC aren’t saying that any of the current applications DO steal your data, they are saying how easily they COULD steal it. To the best of their knowledge the only application which abused user information is theirs. But the fact that they created and used their application with such ease is disconcerting to say the least.
When the BBC contacted Facebook they were told that “users should exercise caution when adding applications. Any programs which violate their terms will be removed”. The BBC told them of their concerns and Facebook responded by saying they have an investigations team monitoring the site and any applications violating the terms of use would be removed.
But my question is, if something like this did happen, how long would it take them to discover it and how has your data been used in the meantime? All of the applicatons are run on third-party servers and it's therefore difficult for Facebook to know what is going on or how these companies are using and storing your data.
Facebook do have a warning that this could happen in their terms and conditions; the fact is the applications would not work if people didn’t put their details into them.
Interestingly, Myspace recently opened its own application platform, BUT, all applications are run on their own servers so they can see what is going on. It also manually checks all submissions and rechecks them if authors wish to change the code. The BBC did attempt to do the same kind of thing on MySpace system but could not infiltrate it.
Anyone that knows me personally knows that I have been a huge detractor of Facebook for quite some time for a number of reasons, the main one being the following from their terms and conditions:
By posting User Content to any part of the Site, you automatically grant, and you represent and warrant that you have the right to grant, to the Company an irrevocable, perpetual, non-exclusive, transferable, fully paid, worldwide license (with the right to sublicense) to use, copy, publicly perform, publicly display, reformat, translate, excerpt (in whole or in part) and distribute such User Content for any purpose, commercial, advertising, or otherwise, on or in connection with the Site or the promotion thereof, to prepare derivative works of, or incorporate into other works, such User Content, and to grant and authorize sublicenses of the foregoing.
I have a problem with Facebook being able to use anything of mine for advertising and such. That could be too easily abused.
I do have a Myspace page and have personal content such as photos up but I would never publish on a social network site my employer or address or many of the other things some Facebook users put on their profiles thinking that their private information can only be seen by friends.
Please if you do use Facebook, be aware. You could easily have data you think private, stolen and exploited. And remember, you wouldn’t even have to be the victim of a malicious application yourself just be a ‘friend’ of someone that has. Although legally Facebook have covered themselves by stating this in their terms and conditions, this does raise a question of ethics. And the way it is set up at the moment, there is little they could do to tighten security; the whole site would need an overhaul and Facebook would need to be in control of your information.
Personally I just won't go there.
Information from news.bbc.co.uk
Facebook allows users to add myriad applications to their profile. But as the BBC has shown, anyone with coding experience could potentially mine your personal info by creating a malicious program concealed as an application.
When you add an application, unless you say otherwise, it is given access to most of the information in your profile, including that of your friends regardless of their security settings. That makes you not only responsible for your own security but that of other people’s. How comfortable are you with that?
So how did the BBC uncover this security breach? First they made up a fictitious profile and set it so that most of the information was set to private and therefore supposedly not able to be seen by non-friends. Then using a couple of laptops, a BBC coder created a special application that Facebook users could add. Then he wrote a data mining application called Miner, which could masquerade as a game, a test, or a joke.
But whatever the application looks like, because it is coded with a data miner, it's running in the background collecting personal details, and those of the users' friends.The program they wrote did just that and then emailed the mined information from Facebook back to the BBC inbox.
It took them less than three hours to create, add and successfully mine the data on the fake profile. Although they didn’t manage to get all of the information, they got enough – name, hometown, school, interests and photo – to be used for identity theft purposes. And apparently anyone with a basic understanding of web programming can write these applications.
Now the BBC aren’t saying that any of the current applications DO steal your data, they are saying how easily they COULD steal it. To the best of their knowledge the only application which abused user information is theirs. But the fact that they created and used their application with such ease is disconcerting to say the least.
When the BBC contacted Facebook they were told that “users should exercise caution when adding applications. Any programs which violate their terms will be removed”. The BBC told them of their concerns and Facebook responded by saying they have an investigations team monitoring the site and any applications violating the terms of use would be removed.
But my question is, if something like this did happen, how long would it take them to discover it and how has your data been used in the meantime? All of the applicatons are run on third-party servers and it's therefore difficult for Facebook to know what is going on or how these companies are using and storing your data.
Facebook do have a warning that this could happen in their terms and conditions; the fact is the applications would not work if people didn’t put their details into them.
Interestingly, Myspace recently opened its own application platform, BUT, all applications are run on their own servers so they can see what is going on. It also manually checks all submissions and rechecks them if authors wish to change the code. The BBC did attempt to do the same kind of thing on MySpace system but could not infiltrate it.
Anyone that knows me personally knows that I have been a huge detractor of Facebook for quite some time for a number of reasons, the main one being the following from their terms and conditions:
By posting User Content to any part of the Site, you automatically grant, and you represent and warrant that you have the right to grant, to the Company an irrevocable, perpetual, non-exclusive, transferable, fully paid, worldwide license (with the right to sublicense) to use, copy, publicly perform, publicly display, reformat, translate, excerpt (in whole or in part) and distribute such User Content for any purpose, commercial, advertising, or otherwise, on or in connection with the Site or the promotion thereof, to prepare derivative works of, or incorporate into other works, such User Content, and to grant and authorize sublicenses of the foregoing.
I have a problem with Facebook being able to use anything of mine for advertising and such. That could be too easily abused.
I do have a Myspace page and have personal content such as photos up but I would never publish on a social network site my employer or address or many of the other things some Facebook users put on their profiles thinking that their private information can only be seen by friends.
Please if you do use Facebook, be aware. You could easily have data you think private, stolen and exploited. And remember, you wouldn’t even have to be the victim of a malicious application yourself just be a ‘friend’ of someone that has. Although legally Facebook have covered themselves by stating this in their terms and conditions, this does raise a question of ethics. And the way it is set up at the moment, there is little they could do to tighten security; the whole site would need an overhaul and Facebook would need to be in control of your information.
Personally I just won't go there.
Information from news.bbc.co.uk
| 82 |
| Vote |
Shared on
Add To: 
Subscribe to this blog
Comment by Hatchy
Facebook scum.
Comment by Johnny Come Lately
Jack's Back
Comment by Anonymous
Facebook. Just Say No!
Comment by Anonymous
Comment by Kleonaptra
Kalikapsychosis
Im on facebook for one reason - a friend I havnt seen in years asked me to join. She's one of those on again off again friends and I thought we could reconnect via facebook because I hate to lose friends in this great big world. However Ive been nervous about the amount of information they require for a while now - why the bloody hell do I have to give my phone number, my email password? Not fair!
This post has inspired me to delete my account. She's not worth it.
Comment by Cheryl J
Funny Videos
Rhythmatism
Zentertainment
Johnny, I think the whole work networking thing is ridiculous. Why the hell would anyone want their co-workers or boss knowing what they do in their private time? If you weren't careful you could seriously stuff up your career.
Comment by Cheryl J
Funny Videos
Rhythmatism
Zentertainment
Anonymous 2. That's the scary part, people don't know how vulnerable their information is. Just be careful what information you have on your profile.
Comment by Cheryl J
Funny Videos
Rhythmatism
Zentertainment
I did join for about a week last year like you because of a request from someone. The terms I mentioned above grated me and I was about to leave when the clincher came. I had only ever logged on with a personal email address, I had never mentioned where I worked or joined any networks but I logged on one day and my work email appeared on my profile. I immediately demanded that they erase all of my information which took numerous emails and a couple of weeks to do. I still have no idea how that got that email address and it freaked me out badly.
I don' t trust ANYTHING about that site.
Comment by Morgan Bell
Deep Pencil
Current Business News
Movie Train
Artist Quirk
if someone wants to steal my identity go right ahead, maybe they will have better luck with it than i did!
all jokes aside, great info cheryl!
Comment by Cheryl J
Funny Videos
Rhythmatism
Zentertainment
Maybe they could steal your identity and get stuck with your bills. Now that would be worth it!
Yes I wonder what your Orble stalker would do with it. The mind boggles
Comment by Kleonaptra
Kalikapsychosis
I just wanted to mention thats more real than we think it is. The virtual world can become uncomfortably real if you say the wrong thing. Its a mistake I wont make again!
And yeah, facebook havnt deleted anything but my account is not visible. They want me to login again and reactivate. No way!
Comment by Cheryl J
Funny Videos
Rhythmatism
Zentertainment
I hope you have no problems with them.
Comment by Meggie
TV Chit Chat