Nov. 14, 2007

Posted by in Facebook | 3 comments

Compare People on Facebook (Fixed)

Vulnerability:

  • The Compare People application on Facebook sends user profile information, such as age, gender, city, ZIP code, favorite music, favorite movies, favorite TV shows, favorite books, “about me,” activities, interests, and political view to Google AdSense when displaying advertisements within the application.

Progress: Facebook has been notified.  Compare People has commented; see below for updates.

More Detail: Today I was checking out my rankings in Compare People and decided to check for any security or privacy holes.  While I haven’t actually hacked it (though I have some ideas), I was quite surprised to discover how much of my profile information is collected and sent to AdSense.  From what I understand, this information is stored by Google, and thus this practice clearly violates Facebook’s TOS in that it 1) shares personal information with a third party without the user’s knowledge or consent and 2) the third party stores information whose storages is restricted by the platform documentation.  The code for Compare People caches this information and information on a user’s friends, but does not appear to store any of the data long-term.  I checked Compare People’s application page and off-Facebook documentation for a privacy policy and never found one, which could be another TOS violation.

Update: Thanks to Naval Ravikant from Compare People for replying and clarifying some things.  First, according to Ravikant, Google does not store the profile fields like location, favorite movies, etc. and only uses them as keywords when generating the ads.  Prior to posting I had researched this feature of AdSense, and best I could tell the info was stored.  But as Ravikant pointed out, “personally identifiable information,” such as a user ID or name, is not passed on.  Finally, Ravikant mentioned that many Facebook applications are employing the same techniques in generating their ads.  I still don’t think transmitting such data to another application without notification or consent from the user would be consistent with the TOS, but Facebook will have to answer that question.

Compare People is disabling the feature until they get some clarification on whether it violates the TOS, and I appreciate their responsiveness.  In any event, this once again reminds users how many ways data about them can be collected and used on the Internet, both with Facebook applications and Google AdSense.

Update 2: VentureBeat received word from Google that they have asked Facebook app developers not to send such information as keywords any more, has stopped using such keywords, and has not received any “personally identifiable information.”

  1. Naval Ravikant says:

    Hey Harmony Guy,

    Appreciate your being on top of this stuff. Actually, this is just profile keywords being fed into Google Adsense to do ad targeting (search on “Google Hints”) and shouldn’t contain any personally identifiable information (Google doesn’t get the UseriD for example, and never gets a complete profile or anything close to it).

    Also, Google has assured us that they do not cache or store any of this data.

    Also, we are far from the only application doing this. There are many applications participating in Google Adsense and using hints_targeting.

    Still, until we make sure that it’s not a real violation, we’re disabling it.

  2. darren hills says:

    so up there at the top, u said u had some ideas on how to hack compare people anyway… could u post those ideas??

  3. Hey , HarmonyGuy.
    I’m a french guy, and some PC- Magazine just mentionned your name multiple times in some article on the Facebook vulnerability.
    Congrats for this and all your work :)

    Verdey

Trackbacks/Pingbacks

  1. Google is Secretly Mining Facebook Data - The Unofficial Facebook Blog - [...] The Harmony Guy has posted an interesting article highlighting a vulnerability in the Compare People application on Facebook. This ...
  2. Are social networks putting us in danger? « Always New Mistakes - [...] RockYou OpenSocial application emote. It took him 20 minutes to hack the iLike application on Ning. Today theharmonyguy announced ...
  3. More about the Google ads that run inside Facebook | BlogForward : Money - [...] issue started yesterday when a software hacker who goes by the moniker theharmonyguy wrote that a popular Facebook application ...
  4. Marketing, Technology, and Entrepreneurial Experience - Blog by Tradedot » Blog Archive Social Scam » - [...] Another instance recently reported by the social hacking blog, [...]
  5. view private profiles on facebook - [...] shows, favorite books, ???about me,??? activities, interests, and political view to Google AdSensehttps://theharmonyguy.com/2007/11/14/compare-people-on-facebook/Facebook - View All Photos ?? Userscripts.orgAlso ...
  6. Google is Secretly Mining Facebook Data | FaceBook News - [...] The Harmony Guy has posted an interesting article highlighting a vulnerability in the Compare People application on Facebook. This ...
  7. Make Facebook Application | Benaughty Facebook - [...] MythsFacebook: ULTIMATE ‘Hard to LIKE’ EditionInstalling Facebook Comments On WordPressCompare People on Facebook (Fixed)How to Use Facebook for Brand ...

Leave a Reply