Friday, August 13, 2010
It looks like there’s yet another little bug that compromises the privacy of Facebook users - all 500 million of them - and it doesn’t matter how a user has set the account’s privacy settings.
The bug can be found in the error page that comes when a user attempts to sign in but types in the wrong password. The system automatically populates the error page with that user’s first and last names, along with the profile picture, and gives the user the chance to re-enter the password.
Now, that’s kind of helpful - not can’t-live-without-it helpful - but still a nice feature for the user. But what if you type in someone else’s e-mail address with the wrong password? Yup, you guessed it: full name and a profile pic for that person.
And to make matters worse, it doesn’t even have to be the e-mail address that the person used to register his account. If that address is listed anywhere in the user’s profile, it will pop up with the full name and picture. Check out the image of my own error page. My work e-mail address is not the address that I use to sign in to my account but it is listed in my profile.
OK, how big of a deal is this? Well, Atul Agarwal, who exposed this bug on the Secfence Technologies’ Full-disclosure blog this week, wrote a PHP script that works with large lists of email addresses to harvest the data. Agarwal wrote:
Facebook users have no control over this, as this works even when you have set all privacy settings properly. Harvesting this data is very easy, as it can be easily bypassed by using a bunch of proxies.
And, no, this isn’t some sort of cache thing that populates the field because you’ve used that particular address before. I went into my own personal contacts list and pulled up the email address of someone random who I knew I was not Facebook friends with. It worked perfectly.
Facebook has worked hard to address privacy concerns and it have no doubt that the company will be closing this loophole soon. But, as the company has taken a beating over its efforts - or lack of - to curb privacy abuse, I can’t wonder whether this is just a loophole that the company missed or if it’s simply taking a reactive stance when it comes to privacy issues - that is, just wait until someone exposes something and then fix it.
What I’d like to see is Facebook taking some proactive steps to scour the site and look for any and every possible loophone that could compromise privacy - and then close it.
Just another day in Facebook land. Go ahead and change ALL your settings to open, so anyone can see anything you post, message or chat. Go ahead... I'll give you a minute.
Because that's what Facebook is already doing for you, no matter what they tell you in your privacy setting, account set-up or user control. They are deceptive to the end user, so they can use YOUR private information for marketing to you better, then sell that information to 3rd party vendors. I have no problem with being open and sharing your information on the internet or in any social media outlet... I just don't like the deceptive practice that THIS company takes. They have "ooop-sies" and "slip-ups" WAY too often for it to be a coincidence.
If you want your conversations, email address and phone numbers protected from the public... don't use Facebook. It's that simple. If you truly don't care what information of yours is shared, by all means, use Facebook in all it's glory. It is a really, really useful service, because of the size of the user base and ease of use. Just go in with eyes wide open and understand that there is NO privacy expectation.
Facebook "Like" button is to the left, thanks.