Posted by theharmonyguy in Facebook, General | 1 comment

Finally (Updated)

I’m happy to report that the issues mentioned in the last post here did not go unnoticed by others, including Facebook.

Earlier that day, Nick O’Neill questioned some of the ads I examined in my technical review, and he has since kept up the pressure about such ads. Today, I received a linkback from Joseph Bonneau (thanks man!), who also uncovered privacy problems with Facebook ads. Since most of the cats are out of the bag now, I’ll confirm that SocialReach and SocialHour, the two networks Joseph discussed, were indeed the culprits for most of the ads I investigated last time. However, these ads were being loaded through an iframe from AdMazing, which was behind my first advertising problem. The verified application I mentioned was We’re Related, and currently it still provides AdMazing with your full name, sex, date of birth, age, relationship status, and college information (schools, years, degrees, and majors) via the iframe URL. (The application also still appears to have the photo vulnerability I mentioned as well, if anyone cares.)

But even more good news follows. As Nick now reports, Facebook has shut down SocialReach and SocialHour, and updated their advertising guidelines a bit. Kudos to Facebook for taking at least some action on this issue. I’d still like to see changes to the platform to avoid future problems, but at least Facebook seems to be paying some attention to all this.

I’ve finally decided to write an application that I’ve thought about several times before – one that raises user awareness about issues on the Facebook Platform. I know that Facebook values user privacy, but readers of this blog know how many problems still exist. And as Joseph pointed out, “Unless users are complaining en masse, Facebook has little reason to police the platform…” I’ll keep you posted on the progress of the application.

Update: A commenter on AllFacebook mentioned they were still seeing ads for IQ quizzes, so I checked on things once again.  Turns out that many of the problems described previously still exist.  The ads have apparently been modified a bit; while previous ads showed IQ scores, implying friends had taken the quiz, the new ads simply speculate with descriptions such as “Genius?”  Meanwhile, if you watch the actual traffic, you’ll see that SocialReach is still making the same disturbing REST API queries using the application’s session information.  How is Facebook not noticing this?

Posted by theharmonyguy in Facebook | 4 comments

About That Verification…

When Facebook announced the first Verified Apps a few weeks ago, someone sent me a link to the story and suggested I try to hack one.  This week I discovered one that appeared to have some holes, so I gave it a shot.  Not everything I tried worked, but I did discover some pretty interesting privacy issues.  The application does overlook some basic measures to prevent many of my techniques, so it wouldn’t surprise me if there are more holes I haven’t uncovered yet.

The application itself appears to only have one hole so far, but it’s a gaping one.  From my research thus far, it lets me access the photo albums of any user if the album Facebook privacy settings allow it (and by the way, the default settings do).  Rather than try getting photos from a celebrity (I’m just not that kind of hacker), I’m issuing an open invitation to news outlets who would like a demonstration of the hack.  Contact me via e-mail, which is my alias at Gmail, if you’re interested.  This invitation is limited to sites which have appeared on Techmeme in the past year.

But just as interesting as this issue is the privacy problems I found with the advertising used on the application.  I’ve torn apart ads on Facebook before, but I haven’t seen anything like this.  I noticed the app had banners which included friends’ names and profile pics, so I did my usual checking to see how it worked.   I discovered four things I find disturbing.

First, I was surprised to see right in the HTML for the application that when it called for an advertising banner, the iframe URL included my full name, sex, date of birth, age, relationship status, and college information (schools, years, degrees, and majors).  I didn’t really think an application, particularly a verified one, should be passing such profile information to a third party.

Second, I went through my usual process of editing query strings and cookies to see how little information was necessary to pull up friends in banner ads.  Much to my chagrin, providing simply a Facebook ID brought up ads with friends’ names and profile pics.  Note that this worked for people whose friend lists are not public.  Furthermore, the profile pictures were not always the person’s current picture, which led me to believe the ad network was storing such images.  In fact, the images were not even being loaded from Facebook at all – they were images stored on an ad network server.  Social Banners may not have been a TOS violation, but I’m having trouble seeing how this is not one.

Third, one of the ad networks stored my full name and Facebook ID as cleartext in its cookies.  Not a major issue, but still a bit unsettling.

Finally, in watching packets as I tested different techniques, I noticed some calls to Facebook’s REST API.  To my utter amazement, the referrer on these requests was not the application (the calls appeared nowhere in the app’s source code), but an ad network iframe.  The ad network used the calling application’s session information and API key to access the data.  And what data did it request?  I present three API calls the ad network issued (and I’ve checked that they do return the requested data from Facebook):

• select uid, status, birthday, education_history, current_location, sex,meeting_sex, meeting_for, first_name, name, pic_square, affiliations, work_history, movies, relationship_status, tv, books, music, activities, interests, status, wall_count FROM user WHERE uid = ‘[current user ID]‘
• select uid, birthday, current_location, sex, first_name, name, pic_square, relationship_status FROM user WHERE uid IN (select uid2 from friend where uid1 = ‘[current user id]‘) and strlen(pic) > 0 order by rand() limit 500
• select subject from photo_tag where pid in (select pid from photo where pid in (select pid from photo_tag where subject = ‘[current user ID]‘)) and subject != ‘[current user ID]‘and subject != ” or pid in (select pid from photo where aid in (select aid from album where owner = ‘[current user ID]‘)) and subject != ‘[current user ID]‘ AND subject != ” ORDER BY subject ASC limit 500

Does anyone else find this disturbing?

By the way, these are not fly-by-night ad networks – they are used by many publishers.  Some may point out that users can adjust privacy settings to keep advertisers from accessing data (though that doesn’t really apply if the ads reuse application access), or opt out of advertising networks, or not authorize every application that comes along.  All valid points.  But how many users even know about these issues?  One of the primary purposes of this blog is simply to raise user awareness.  And at the risk of beating a dead horse, why does every Facebook application have access to all of this data to begin with?

It honestly frustrates me a bit that users get worked up over legalese in the Facebook TOS but ignore these sorts of privacy issues, which I and others have raised for quite a long time now.  The Facebook Platform has some of the best privacy settings in the industry, but critical flaws in the structure of the Platform seriously tarnish its reputation.  Yet neither Facebook nor its users seem particularly concerned about these flaws.

And yes, I’ve refrained from naming any applications or ad networks in this article.  My purpose is not and never has been simply to embarrass social networking sites and application developers.  Yet many of my previous posts seem to have been ignored by both.  I thought perhaps this time rather than just pointing out yet another set of privacy issues, perhaps I could whet someone’s appetite to become more interested in the larger issues at hand.  My blog has little reach (I’ve only showed up on Techmeme once), so perhaps others with larger audiences can help spread the word.

Posted by theharmonyguy in Facebook | No comments

Facebook Opens Stream Access

Big news from Facebook today.  They’ve announced that third-party developers can now access a user’s “stream” of updates (basically, the new News Feed, which isn’t really the News Feed any more, or a user’s “Wall,” which isn’t really the old wall… never mind).  This move is somewhat risky, but in the end I think it will be a net gain – particularly for users.  I can only imagine what new applications people invent that take advantage of this, and developers are already getting started.  This may even help increase Facebook’s usefulness, which for me personally has declined significantly since the latest redesign.

However, as your local social networking hacker, I do have to add a caveat to all the good news.  The new feature automatically raises questions about privacy and security.  At this time, Facebook has wisely chosen to limit most content to items that are shared for “Everyone.”  (Adding that user group now makes even more sense.)  But status updates and shared items are accessible to applications even when shared with “Friends Only.”  Not a deal-breaker, but once again, users need to be clearly informed how this will work to avoid surprises.

Anyway, looking forward to seeing where this goes!

Posted by theharmonyguy in Facebook, General | No comments

Getting Lost in the Lifestreams

Recent updates to Facebook have caused me to think further about a few ideas that have been in the back of my mind for some time. Rather than post my usual security analysis, I decided to try and record a few observations about trends in social networking and hopefully start a conversation about them. Specifically, I have noticed a shift from static profiles to dynamic feeds and a focus on shorter interactions. These thoughts are still rather undeveloped, but hopefully they will make some sense.

Facebook’s previous redesign took users from a primarily static profile to a primarily dynamic one. That’s not to say the old profiles never changed, but the changes tended to be subtler over time. A new profile picture, a new comment from a friend on the “wall,” perhaps a new favorite movie. The profile in general evolved over time at a slower pace than one particular section of it, the mini-feed. The mini-feed was the stock ticker at the bottom of the screen, giving quick highlights of the latest activity involving the person. The rest of the profile was the news broadcast, taking more time (and space) to tell the story or provide context.

The redesign merged the dynamic mini-feed with the most active parts of the profile to create a unified feed which took over the profile. Less active components, such as favorite movies or quotes, could still be accessed – but they were treated as a separate, less-interesting part of the profile that could be referenced if needed on occasion. The new central feed still used a few visual cues to distinguish types of stories. Status updates were generally short and frequent, so they were featured in a different manner from the larger blocks of text that friends would write for the less frequent wall posts.

Now, Facebook has introduced a revamped home page, and modified profile pages to match. The previous News Feed certainly provided dynamic updates on friends, but it was not a true, real-time “feed.” It often spanned large intervals of time, and included stories thought to be of interest to the user. In other words, the News Feed summarized. It helped provide an overview or the “big picture” of friends’ activity. The new News Feed, by contrast, emulates Twitter’s real-time feeds. A user with many active friends may now only see updates from the past hour when they first load their home page. The Highlights section on the right side of the page helps provide some of the broader context the older News Feed attempted to serve, albeit in a much more limited fashion.

Facebook’s revamped feeds no longer include the visual cues for distinguishing stories. On a profile, the only difference between a status update and a wall post is the name of the person who wrote the comment. The feeds now treat individual stories fairly equally; each item is simply another drop in the river of updates. The new Publisher box reenforces this perspective – it beckons a user simply to write, not write a status update, write a note, or write a wall post.

In this respect, Facebook has become much more similar to Twitter. Each tweet is presented as any other tweet, and users employ tweets in a variety of ways, such as status updates or discussing technology issues. Many bloggers now refer to Twitter, FriendFeed, and similar sites by the apt name of lifestreaming services. The latest incarnation of Facebook could easily be categorized as lifestreaming also.

The rise of the dynamic seems to be quite a trend on modern social networking sites, with feeds becoming nearly ubiquitous. Yet the lack of a more static profile removes an aspect of a user’s experience. No longer is their an anchor for the user’s identity – a central place that declares, “This is who I am,” giving an overview of the user’s interests, activities, and personality. Instead, a user is defined by action: “This is what I do.”

Consequently, we lose the big picture. Feeds by nature do not summarize. They rarely provide an overview. Previous incarnations of user profiles, such as on forum sites or the old Facebook, did include feeds. But they were smaller segments to give a snapshot of user actions – such as the last few forum posts or the Facebook mini-feed. These were real-time sections that contributed to the overall presentation. Other aspects of the profile were much steadier, helping provide a more meaningful identity.

Suppose I haven’t talked to my friend Jane in quite a while and want to catch up. If I visit her social networking profile and see quick thoughts of hers and short messages from friends covering the last few days, I will have little understanding of her life at this stage. I will probably investigate for further clues of the big picture, such as what she’s doing for education and work, recent major events, photographs of the last few months. These help me to piece together figuratively where Jane’s life is at the moment.

Lifestreaming may be about sharing thoughts (e.g. Facebook’s new question, “What’s on your mind?”), but it can often accommodate laziness in relationships. As my life becomes busier and my friends increase in number, it becomes more difficult to engage in meaningful conversation with each person. But now I can broadcast my life in compact updates that friends are free to follow. I become a celebrity of sorts, letting fans track my thoughts and activities throughout the day without my answering any fan mail.

Conversation does occur on services such as Twitter, but the brevity befits our culture’s increasingly short attention span. Short messages have their place, but they are becoming the central dialogue in social networking. Previous versions of Facebook at least made more of an effort to distinguish status updates (brief, more frequent, purposeful), wall posts (medium length, occasional, conversational), and notes (longer, less frequent, kaleidoscopic). If the majority of our social networking reduces to exchanging 140-character tidbits, how can we truly connect with or understand the lives of our friends?

Obviously these thoughts do not cover all uses or users of Twitter, Facebook, and other such sites. Many people use Twitter for business purposes, not relating to friends. Short messages are well-suited to many casual conversations. But I am concerned by (1) the lack of static, big picture components to modern social networking, and (2) the reduction of most communication to quick, simple exchanges. Identity seems to be turning into a fluid concept, and social networking seems to be less about engaging in real, meaningful conversation with friends.

Granted, the information overload of our time would naturally tempt us to reduce the time spent on any task. Yet time investments will always be necessary in deeper human relationships. If only a social networking service would help us reenforce such a perspective and use technology to encourage such investments while removing hinderances to keeping in touch. The ephemeral has its place, but we dare not lose the bigger picture of who we are and how we relate to each other on deeper levels. Of course, this may require a change in mindset as much as a change in technology – how often do we ask how people are doing without expecting an honest answer?

Posted by theharmonyguy in Facebook, General | No comments

You Don’t Say

Sophos, an IT security firm, has warned that the Error Check System application, while apparently harmless, could potentially have been used by rogue developers to steal the personal information of Facebook members. (Telegraph)

Readers of this blog should be well-aware of the potential danger.  I personally think the “Error Check System” application is a brilliant example of what I and others have warned about for quite a while – an application that appears harmless and spreads quickly, yet can easily harvest user data along the way.  Users can go back and disable the application, but it only takes the first authorization for the application to access and store a user’s profile information.  For anyone who’s already tried to use the Error Check System, the damage has already been done.

Of course, the application may, in fact, be harmless.  How can we find out?  Only Facebook can tell what data the application actually retrieved, but even then there’s no way to know if it was consequently stored on another server.  Once again, TOS provisions on user data are unenforceable.

And once again, I hope this incident raises awareness of the current dangers with social networking applications.

By the way, if anyone finds a current link for the application, I want to install it on a test account and check out its code, so please pass on the URL to theharmonyguy at Gmail.