Feb. 4, 2008

Posted by in Facebook | No comments

Facebook Application History Pages

Rather than post about individual applications, I thought I would go ahead and do a combined post about an issue I keep encountering.  In my post on query strings, I noted that applications with some sort of history page are susceptible to a privacy problem if other people could access the page.  Not only does the history page list communications between the user and his/her friends, such a listing indicates who at least some of the user’s friends are, and some Facebook users have their friend lists set to be inaccessible to non-friends.

As I said, I keep encountering this problem.  To give you an idea of how common it is, here are a few of the applications where I have found it trivial to access the history pages of users with private friend lists:

  • SuperPoke
  • FunWall
  • Super Wall
  • Moods

The first has over 400,000 daily active users, while the next two each have over a million.  The fourth has just under 100,000 daily active users, but I’ll note it doesn’t include any information about friends in the history page.  I’ve contact Slide, Inc. twice about the issue with SuperPoke, and frankly I’m quite surprised to see it present in all four of these popular applications.  Perhaps it’s by design, but I think most users are probably under the impression that all of their history with one of these applications is not accessible for people who can’t access their profiles, and that’s simply not true.  Fixing the problem would involve a simple if-then statement to see if someone requesting a history page has sufficient rights the view the information.

The fact that four of the most popular Facebook applications are vulnerable in this regard leads me to believe that many other applications have a similar issue.  Once again, this isn’t a major security hazard, but for some users it can be an important privacy issue.

Thankfully, I’ll add that I have not been able to actually change a user’s data (e.g. posting on their Super Wall) in any of these applications, unlike my original hack of Emote on Plaxo.  I primarily credit Facebook Platform’s authentication setup for this being the case.

Leave a Reply