Social Hacking

Vulnerability:

• The Compare People application on Facebook sends user profile information, such as age, gender, city, ZIP code, favorite music, favorite movies, favorite TV shows, favorite books, “about me,” activities, interests, and political view to Google AdSense when displaying advertisements within the application.

Progress: Facebook has been notified.  Compare People has commented; see below for updates.

More Detail: Today I was checking out my rankings in Compare People and decided to check for any security or privacy holes.  While I haven’t actually hacked it (though I have some ideas), I was quite surprised to discover how much of my profile information is collected and sent to AdSense.  From what I understand, this information is stored by Google, and thus this practice clearly violates Facebook’s TOS in that it 1) shares personal information with a third party without the user’s knowledge or consent and 2) the third party stores information whose storages is restricted by the platform documentation.  The code for Compare People caches this information and information on a user’s friends, but does not appear to store any of the data long-term.  I checked Compare People’s application page and off-Facebook documentation for a privacy policy and never found one, which could be another TOS violation.

Update: Thanks to Naval Ravikant from Compare People for replying and clarifying some things.  First, according to Ravikant, Google does not store the profile fields like location, favorite movies, etc. and only uses them as keywords when generating the ads.  Prior to posting I had researched this feature of AdSense, and best I could tell the info was stored.  But as Ravikant pointed out, “personally identifiable information,” such as a user ID or name, is not passed on.  Finally, Ravikant mentioned that many Facebook applications are employing the same techniques in generating their ads.  I still don’t think transmitting such data to another application without notification or consent from the user would be consistent with the TOS, but Facebook will have to answer that question.

Compare People is disabling the feature until they get some clarification on whether it violates the TOS, and I appreciate their responsiveness.  In any event, this once again reminds users how many ways data about them can be collected and used on the Internet, both with Facebook applications and Google AdSense.

Update 2: VentureBeat received word from Google that they have asked Facebook app developers not to send such information as keywords any more, has stopped using such keywords, and has not received any “personally identifiable information.”

I wanted to take a moment to clarify some issues I’ve seen several people raise…

First, when I say I’m an amateur, I’m not simply being modest.  I do have a good bit of programming experience (though more in network administration), but these recent adventures have involved some skills that are less developed.  I appreciate the kind words and offers people have sent my way, but I’m probably not as great a hacker as they think I am.  Also, I’ve already started to show some of my ignorance in some misunderstandings of Ning - this is a learning process for me, and I’m sure for other less-experienced developers too.

Second, the “hacks” thus far have been consequently quite simple - they can hardly be called hacks.  I’ve never claimed that they were advanced, so don’t be disappointed when you find out details. :)  I do plan to continue digging through code and looking for more sophisticated loopholes, but this is more of a hobby for me, and these initial issues were very straightforward.

Third, by pointing out these problems, I’m not saying that OpenSocial can’t work.  OpenSocial is a fine idea that will probably be very successful.  But as Dan Farber pointed out, the platform is still in its early stages and there are still details being worked out.  And as a developer, I’m still working out various details as well.  Personally, I had expected more initially from the way things were marketed, but a more “open” development process is a fair approach, so long as people understand things are not finalized.

Finally, I’ve been trying to keep current on many of the recent social networking and web development trends, so I may share some thoughts on here from my perspective, for what they’re worth.  But I probably won’t post too often, as other responsibilities keep me fairly busy these days.  Still, I thought this blog would be a convenient way to post more adventures in code experimentation - it’s been fun for me to learn more about OpenSocial and the Facebook Platform the last few months, and I hope my experiences can at least help a few other developers.

Anyway, I didn’t want anyone to be mislead by any recent reports. :)  Shout out to the companies I’ve mentioned here, who have all done a good job of responding to my concerns and handled the situations well.  And thanks to TechCrunch for getting the word out.

Date: November 5, 2007

Initial hack: 20 minutes

Vulnerabilities:

• Able to access listing of friends for any user and limited personal information about these friends
• Able to add and remove playlist tracks for any user

Coverage: TechCrunch

Progress:  Ning and iLike have both been notified.  Ning has replied and stated they are working to fix the issues ASAP.

Update: First “vulnerability” not a vulnerability at all; I’m new to Ning so didn’t realize the data was already available via JSON.  Ning has made some updates to fix the iLike issues; haven’t tested them yet.

Update 2: On November 14 I tested my hack again, and Ning seems to have plugged the hole.  Good work.

Date: Friday, November 2, 2007

Initial hack: 45 minutes

Vulnerabilities:

• Able to change current Emote status for any user
• Able to access Emote history and current status for any user
• Able to insert HTML, including JavaScript, into Emote pages

Coverage: TechCrunch

Progress: Plaxo has removed Emote from their whitelist.  As of Nov. 6, Emote remains unpatched.