Posted by theharmonyguy in Facebook, General | 8 comments
Why the Current Facebook Privacy Debate Matters
Privacy has been a hot topic of discussion among all sorts of technology-minded people lately. But take a moment to consider why this debate is even happening. One could list several events involving several companies that have all influenced the controversy, but generally, much of the talk stems from changes made by Facebook over the past year.
Why the Change?
And why did Facebook make those changes? There’s no technological reason for many of them. Nothing about liking pages or using social plug-ins forced the company to remove old access controls or make “instant personalization” an opt-out feature. Facebook’s executives made a policy and business decision to push users into more public sharing. In many ways, we’re having this debate because Facebook chose to make it an issue.
Keep Reading »Posted by theharmonyguy in Facebook | 6 comments
More Recent Security Problems with the Facebook Platform
I want to preface this post by noting that I have plenty of respect for the engineers at Facebook, and I realize they face many challenges maintaining the security of such a complex website. However, given Facebook’s current status and reach, I also think it important to keep the site accountable when it comes to issues that risk unwanted information disclosure or other problems for end users.
Facebook’s faced criticism for several security issues over the last few weeks. In April I reported on a vulnerability that allowed applications to be hijacked for stealing data or spreading malware. More recently, a glitch allowed users to spy on Facebook Chat sessions and problems with Yelp showed the risks of cross-site scripting in “instant personalization” sites.
Unfortunately, I have a few other holes to report. I first notified Facebook of these new issues last month, but I wanted to give time for patches before I published details on the problems. Facebook has since made several changes that address some of the issues I raised. However, some of the problems appear to remain. Given the updates and length of time since my reports, I decided to go ahead and post about these issues, but I’m withholding technical details on issues that are still active.
Keep Reading »Posted by theharmonyguy in Facebook, General | 12 comments
Don’t Simply Build a More Open Facebook: Build a Better One
Geek Level: Not overly technical, but aimed at developers and entrepreneurs.
Frustration with Facebook has appeared to reach a tipping point recently. Changes to the service have always drawn criticism and even outrage from various users, but after the latest updates, I’m seeing more people talk seriously about leaving the site. Consequently, some people have begun looking for alternatives, and a few have even started trying to build their own.
I’m among those looking for alternatives. I’ve held back from closing my account several times in the past due to a large network of friends, but my concerns continue to rise. Few other options exist, though, and any service looking to compete directly with Facebook faces an uphill battle.
Consider this post my advice to anyone who wants to tackle that challenge.
Keep Reading »Posted by theharmonyguy in Facebook | 1 comment
How Facebook’s New APIs Affect Old Security Issues
Geek level: Fairly technical at times, but makes some general points.
Based on my experience in researching Facebook security, I was quite interested in the security ramifications of Facebook’s recent developer announcements. Some of the analysis I’ve seen thus far from others actually involve rediscovering previously reported concerns with the old platform. But Facebook’s updates include a brand-new authentication scheme for applications, possibly affecting the sort of application attacks first described last year. From a security perspective, I wondered, how much has actually changed?
New Interfaces
To begin, let’s recap some of the new developer tools. First, Facebook is phasing out its old authentication scheme. Previously, applications would generate a session by forwarding clients to a particular Facebook URI. If the user chose to authorize the app, Facebook would forward the user back to the application context, passing along a valid session key (and session secret). The application would then use that session key to generate API requests, signing each with either the session secret or application secret.
Keep Reading »Posted by theharmonyguy in Facebook | 58 comments
Facebook is Not Secretly Installing Apps from Other Websites
Updated 4:55 p.m.
Earlier today, Apple news site Macworld published a story with the ominous headline, “Facebook’s new features secretly add apps to your profile“. That claim will naturally get attention, and other sites have started the news.
There’s just one problem: The story appears to be incorrect.
I am not saying that Macworld’s writers are trying to mislead or that they intentionally reported incorrect statements. But I do think they did misunderstood some Facebook behaviors in their zeal to protect user privacy.
Keep Reading »Content License
All content by theharmonyguy on this site, including text and images, is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License.