Archive for the 'Facebook' Category

Social Me Still Too Social

Wednesday, July 16th, 2008

Social Me is another Facebook application that was recently banned, then more recently reinstated.  I’m not sure exactly why they were banned to start with, but they ought to know their application still has a gaping security hole.  I hadn’t experimented with Social Me much before, but when I saw they were back online I [...]

Quick Update on Top Friends

Tuesday, July 15th, 2008

If you’ve been keeping up with Facebook development news, you’ve no doubt heard about the Top Friends application getting banned.  In the past I’d pointed out that you could access application data about other users, but that was before Slide created quasi-profile pages within the application.  These exposed not only application data but actual profile [...]

More Advertising Issues on Facebook (Updated)

Friday, June 20th, 2008

Originally posted June 7
Today I logged into Scrabulous and was greeted with a rather unusual ad.  Above my games list, a banner encouraged me, “Put one of Your FRIENDS on an Album cover!”
What was unusual is that the banner included the names and profile pictures of several Facebook friends.
Since the ad is appropriating the likenesses (and [...]

Microsoft’s Facebook Export

Thursday, March 27th, 2008

Uno de Waal noted yesterday that Microsoft’s new contact exchange system lets you export e-mail addresses from Facebook, a feature not available to other developers and not available in any other form to users.
Intrigued by this new setup, I checked the code to find out what exactly was happening.  Microsoft’s site loads a Facebook iframe [...]

News: Facebook Private Photos

Tuesday, March 25th, 2008

When I checked TechMeme this morning (yesterday evening was rather busy), I discovered a reminder that even a large site like Facebook is susceptible to the sort of query string problems I’ve discussed previously.  Kudos to those who found the hole, and to Facebook for apparently fixing it quickly once it received wide attention.
A commenter [...]

SMUG Facebook Challenge

Saturday, March 1st, 2008

You may have heard about the $100 hacking challenge issued by social media instructor Lee Aase.  You may have also expected me to take a stab at it.  You may have even thought I would win it.
You’d almost be right.
A friend sent me a link to the challenge the day Lee posted it, and by [...]

Facebook Contacts

Monday, February 18th, 2008

Discovered an interesting little trick today, though not one I would classify as a hack or big security risk, though it’s a slight privacy hole.  After reading about an old method for accessing the friend list of a user logged into Facebook (Facebook has apparently fixed this one), I did some poking around.  To my [...]

Social Security 102: Client-Side Code

Monday, February 11th, 2008

Second in a series.  First post: Query Strings
In this post, I’ll both detail the iLike on Ning hack and raise a question about web development in general.  This particular hack makes me wonder about some larger security issues.
In the early days of OpenSocial, I didn’t have many platforms to test on.  After working with Plaxo, [...]

Facebook Application History Pages

Monday, February 4th, 2008

Rather than post about individual applications, I thought I would go ahead and do a combined post about an issue I keep encountering.  In my post on query strings, I noted that applications with some sort of history page are susceptible to a privacy problem if other people could access the page.  Not only does [...]

Top Friends on Facebook

Monday, February 4th, 2008

Date: February 4, 2008
Initial hack: 15-20 minutes
Vulnerabilities:

Able to access Top Friends information (e.g. the user’s top friends, who the user is a top friend of) for any user

Progress: Slide, Inc. has been notified.
Details: Can you tell I’m playing with Facebook apps tonight?  This hack uses the same kind of technique as the iLike on Ning [...]

Checking the security and privacy of social networking applications, white hat style…