Jun. 25, 2009

Posted by in Facebook, General | 3 comments

A Few Clarifications

Why bother highlighting privacy problems on Facebook?  Isn’t privacy just an illusion anyway? With the way Facebook currently operates, users should probably assume that advertisers, developers, and hackers can access all of the information they post. However, most users are not aware of this, and fully believe in the privacy controls Facebook provides. Facebook needs to address privacy problems to match user confidence or better educate users on how easily others can access their data.

Hasn’t Facebook patched the holes that allow access to profile data? Those behind FBHive.com should be commended for the privacy hole they uncovered, which Facebook did patch. However, the privacy problems mentioned here remain unpatched. SuperPoke has patched the specific hole used in my demonstration hack, but other applications are still vulnerable to an identical attack.

Aren’t you simply highlighting problems in Facebook applications? Isn’t Facebook itself more secure? Mark it down: A vulnerability in a Facebook application is a vulnerability in Facebook itself. Since all applications are granted access to a wealth of user information and can perform many actions that directly affect a user, application holes can be exploited to the point of differing little from actually hacking a user’s profile.

Are these hacks really that serious if they require a user to click a special link? Hacks that do not require user intervention are certainly more powerful. However, many security researchers will affirm that getting a user to click on a link is not that difficult. Also, many of these hacks can work invisibly on what appears to be an otherwise harmless page. Finally, applications have many viral channels available to them, and these can be exploited by an application attack or a rogue application to compromise more users.

Doesn’t Facebook prevent advertisers from accessing personally identifiable information? For advertisements served by Facebook itself, the site does prevent such access. Unfortunately, several advertising networks for Facebook applications, such as SocialCash, can and do access personally identifiable information for targeting their ads. While this appears to be a clear TOS violation, Facebook has not shown interest in addressing this particular problem.  Two ad networks were shut down recently, but apparently for deceptive ads and not for the user information they accessed.

Can Facebook enable third-party applications at all and still enforce user privacy? Security researchers may disagree on this particular question, but I do think it clear that Facebook could do far more to protect user privacy. The Facebook Platform currently ignores important security techniques that have led to problems such as my recent application hacks. For example, allowing every application full access to user information contributes to making the hacks so serious.

  1. so far dropped like all the 3rd party apps on my page. Does it help anyway..?

  2. @rodentvs: The only way to completely protect yourself, at this point, is to visit the Platform settings page ( http://www.facebook.com/privacy/?view=platform&tab=other ) and exempt your profile from the API. I have taken that step, but I doubt many other Facebook users will be willing to do so.

    I personally believe that the best response would be to spread the word to other users and get people interested in these issues. Facebook has responded to user concerns in the past over the News Feed and TOS update – if users actually got worked up about these issues, perhaps Facebook would take action. Ultimately, true solutions to the problems I’ve listed have to start with Facebook.

  3. By the way, I’ve since realized that even exempting yourself from the Platform is not a complete solution, since you’re vulnerable to clickjacking attacks.

Leave a Reply