Posted by theharmonyguy in Facebook, General | No comments

Don’t Click My Application

Chris Shiflett has a good write-up on the Twitter “Don’t Click” prank that spread this week.  Hopefully the incident will raise awareness of clickjacking.

In fact, combined with the Facebook Platform, such a prank could be more dangerous.  As Adrienne Felt pointed out long ago, Facebook applications gain access to a wealth of user data, regardless of need.  It would only take one hijacked click for a malicious application to log such information – without the user even realizing an interaction with Facebook occurred.

I would add that several security/privacy controversies, such as Facebook Beacon and at least many clickjacking attacks, can be solved simply by disabling third-party cookies.  This obviously isn’t an end-all solution, as it can block useful functionality as well, but I’m surprised it isn’t mentioned more often as a good strategy for power users.

Posted by theharmonyguy in Facebook, General | No comments

Facebook is Growing Up

I simply found these charts humorous.

• http://www.facebook.com/lexicon/index.php?q=random
• http://www.facebook.com/lexicon/index.php?q=ya+know
• http://www.facebook.com/lexicon/index.php?q=like+totally
• http://www.facebook.com/lexicon/index.php?q=whatev
• http://www.facebook.com/lexicon/index.php?q=sup

Posted by theharmonyguy in General | 1 comment

Hold the Phone – Facebook Sync?

This week I eagerly refreshed the Engadget liveblog of Palm’s presentation at CES, curious to see what device and OS they would introduce.  While I doubt I’ll be replacing my new iPhone (yeah!) with a Pre any time soon, I was rather intrigued by several aspects of the new platform and look forward to seeing what comes of it.  I was impressed as the various descriptions rolled in from Engadget, but then they mentioned a feature that provoked a double-take:

In Synergy, you don’t have to import, you just login. But you don’t want duplicates in this list. You see this stack of photos in the contact card – that means there’s 3 sources for this contact, from Google, Outlook, and Facebook. But I can look at all her phone numbers with no dupes, and I don’t have to worry about managing this.

Excuse me?  Contact information from Facebook?

Currently no Facebook application has access to the e-mail, phone number, address, etc. of any user.  Even if a desktop app logged into Facebook and screen-scraped, the e-mail addresses are displayed as images.  And we all remember when Robert Scoble tried to download all of his friends’ contact info using such an approach.

The fact that Sheryl Sandberg showed up for the presentation tells me Palm has some special technology operating here.  Perhaps not, but I’m at a bit of a loss to explain how they can access and sync Facebook contact info for a user’s friends.  And if there really is some sort of special recipe behind the scenes, this raises a host of questions – for instance, will third-party Pre apps be able to access contact data and use it?

More importantly, why doesn’t anyone else have this kind of access?

I haven’t seen this particular question addressed since the Pre presentation, so I thought I would bring it up.  I’d certainly like to get more details as to what’s going on here.  And I definitely hope Facebook starts letting users legitimately sync contact info, regardless of whether they own a Pre.

Update (Jan. 10): I’ve continued watching Techmeme stories for more details on the Facebook integration, and this evening I found this tidbit from IntoMobile’s hands-on:

Enter your Facebook credentials and Synergy will search out all your contacts and automatically add them to your contacts list – complete with profile information (like phone numbers and email addresses) as well as pictures. Synergy can also draw contact information from multiple sources, like other social networks.

With your credentials, the application could theoretically use screen-scraping to gather such data.  But isn’t that the same technique that got Scoble banned?  In fact, automated scripts to collect information from Facebook are specifically banned in the TOS.  This would again lead me to believe that the Pre has some special pipeline to Facebook.

And is it downloading data or accessing on-the-fly?  Even data accessible to Facebook applications, such as profile pictures, cannot be permanently stored by an application.  Once again, it would appear that the Pre has a special dispensation to maintain contact data.

Facebook still has much to explain about the Pre…

Posted by theharmonyguy in Facebook | 18 comments

Honesty Box Hacked

Update: Please note that the hack described here has been patched for over a year. This post is only an archive. I am not currently aware of any ways to hack the Honesty Box, and any requests to hack the application WILL be ignored.

Ever since I started hacking social networking applications, I’ve wanted to crack the Honesty Box.  One of the first apps on the Facebook Platform, the Honesty Box lets users send anonymous messages to those who install it.  Last year I tried to find a way to uncover a sender’s identiy, but to no avail.  This year is a different story.

Originally, the Honesty Box was a fairly simple application, and consequently it had few opportunities for hacking.  While I could tell that the app did store data on who left a message, I could not find any way to get at the information short of trying SQL injection attack.

But now, the Honesty Box has added a feature called “Reveal-Deals.”  This lets you exchange “HB points,” a rewards system in the app, to find out who left a message.  A user’s identity is only revealed once they agree on the number of points and accept the deal, so messages remain anonymous unless the sender decides to make or take an offer.

At least, that’s how things normally work.  I discovered the newer setup last night, and immediately saw it as a potential opening for a hack.  After an hour or two of work, with friends providing test cases, I finally pulled off one of my dream hacks: I can now uncover the sender of an Honesty Box message without exchanging HB points.

A few notes: The hack is a bit complicated, so I wouldn’t start freaking out about messages you’ve left.  I have not notified the app developers about this hack yet simply because I haven’t written up the details yet.  I do plan on sending them a full report soon.  If you’re a journalist who wants confirmation of the hack, you can e-mail theharmonyguy at Gmail to setup a test case, but please only do so if you’ve been on TechMeme before.  (The TechMeme requirement is a simple way for me to limit requests to legit people.)  Please do not send any requests to reveal someone on your Honesty Box, hack a friend’s Facebook account, etc. – such e-mails will be completely ignored.

The moral of the story?  For developers, be very careful about adding new features, especially ones that make a fundamental change to the structure of the application.  For users, be careful in posting messages online -though personally, I think you should be willing to say to someone’s face what you say in their Honesty Box, and I use it for sending compliments or encouragement.  But that’s just me. :)

Update (Sept. 17): The Honesty Box application appears to be patched now; I haven’t done a full check yet, but one of the holes that the hack took advantage of is gone.  Kudos to the developers for a quick fix.

Posted by theharmonyguy in Facebook, General | 1 comment

Proof-of-Concept Malicious Application

ZDNet’s Zero Day blog reports today that researchers from the Institue for Computer Science have built a simple Facebook application that users will find desirous and innocuous – yet it is actually malicious.

As many, including this very hacker have been saying for some time, it’s only a matter of time before black hat developers start taking advantage of social networking applications for harmful purposes.  One of the primary reasons I started this blog was to raise awareness of the problems that can easily arise on social networking sites.  Now the folks at ICS have provided an excellent example of what could happen.

The application is presents a “photo of the day” from National Geographic, yet behind the scenes makes use of those installing to create a botnet for denial-of-service attacks.  The threat of such an attack is real:

Interestingly, the researchers made no effort to advertise/distribute its Facebook application but was able to attract more than 1,000 users in the first few days. With a bit of effort to manipulate the viral nature of app distribution on Facebook (the inherent trust of the social network model), a malicious Facebot with tens of thousands of users can do some serious damage.

Social networking applications are inherently difficult to police, but if nothing else, this one should help spur both users and developers to understand the risks involved and hopefully find new solutions.