Facebook hack - Your profile data is exposed →
Critical flaws in Facebook once again are exposing your profile information. As social networks continue to play a vital role on the web, and user adoption increases for location based sites; privacy, and security must be taken seriously, and treated as a top priority.
Web users have become increasingly trusting of social networks and seem to forget a lot of their activity is quickly indexed by search engines and is often available to the world in real time. Users are posting tons of personal information; full name, address, dob, phone#, employment, names of family members, risque photos, etc on social networks like Facebook. This information can easily be abused, as it is available to ANYONE as you can see below. Unfortunately, I don’t think the average user cares or is even aware of the potential dangers, and risk of publicly broadcasting this type of info. Are you updating your status message with locations, activities, exchanging or posting personal information? Have you posted pictures you don’t want your boss or grandmother to see? Do you really know everyone you accept, friend, or follow? This can all lead to a serious invasion of privacy - harassment ie swat teams, identity theft, and a plethora of crimes, headaches, and problems that become possibilities, most of which are easily executed.
Don’t get me wrong, social sites can be extremely valuable, depending on how they are being used. Some of these sites have also attempted to build flexible and robust privacy controls such as Facebook, but continue to introduce more privacy issues, which aren’t being taken seriously. Social networks are becoming very important mechanisms for real time news, citizen journalism, connecting with friends, and keeping up with what is going on around the world in realtime. These networks are also becoming very important tools for governments. A recent example would be the important role Twitter, Facebook, and Youtube played in the last week with the Iran election protests. We can all participate in these sites, and I encourage you to, but a level of anonymity must be maintained! You must THINK, and choose wisely what you share. Is it really necessary to broadcast to the world publicly that you aren’t going to make it home till tomorrow morning from your family vacation in Hawaii? (When your address is posted publicly on your Facebook page?)
I recently noticed my friends using an app on Facebook called ‘We’re Related’ by Familylink. You can identify, and display members of your family who use Facebook. On their Facebook app page it says “Love connecting families and helping people find their relatives on Facebook!” Who is behind this company? What are they doing with the massive amounts of data they collect? Are they selling your relatives names and dob? Are they collecting other information from your profile once you grant the application access? (Yes) Are they compiling relationship based databases and selling searches, or reverse cell phone look ups? The We’re Related app clocks in at 15,300,087 monthly active users, the 4th most popular app on Facebook right now, and ranked 1st under the Friends & Family app category. Is sharing this information really necessary to enhance anyone’s experience on Facebook? No third party app needs to know your mothers full name, and dob, or Facebook, or any site for that matter!!
Social networks must start focusing on privacy issues, protecting their users with the implementation of simple safeguards, and better security mechanisms. Users need to be educated, and sites need to simplify their existing pseudo privacy mechanisms. As location based social networks such as Loopt, BrightKite, Google Latitude, etc explode in growth over the next few years, this becomes even more increasingly vital. Bad policies and security like the ones abundant today will lead to even more serious privacy issues as your location data becomes commonplace. Problems will arise if sites continue to expose users due to security flaws such as XSS vulnerabilities.
Why should these websites even care about this? Plenty of sites are creating billion dollar social media empires from social networks, user generated content, and crowdsourcing. Realistically, the more you use these sites, the more people that use the site, and the more content you share, the more money they are lining their pockets with. The more uninformed users are, the more money everyone makes.
Twitter user @theharmonyguy has setup a safe web page that exploits a vulnerability in Facebook and displays your profile data, even if your profile is private!! This link is safe and the data won’t be shared with anyone. The data displayed from my private Facebook profile is pasted below. You won’t find much, so it isn’t really the best example, but you can see that my private profile data is accessible. What are you sharing on the info tab of your profile? What about your friends? and your family?? Are you using third party apps that have been exploited, or apps that collect your personal profile info? You might be surprised!
—-
You might see some of your Facebook profile information below. The page you just visited actually contained code that used holes in Facebook to get your profile data. Don’t worry, none of your info has been stored - this time. But you may want to read more about privacy problems currently part of the Facebook Platform. If all of this concerns you, please share this link with friends to let them know about these problems as well.
By the way, you may find that a certain recreational Facebook application has now been authorized on your profile. Check your applications and remove any that you don’t normally use.
Facebook ID: 767194971
Name: Jay Neff
Birthday: undefined
About You: The people I associate the most with are Dreamers! People who believe that “Nothing is Impossible.” People who support the Entrepreneurial spirit. People who believe in making a difference. Those who think outside of the “BOX”. Truth seekers, philosophers, activists, humanitarians, intelligent and educated individuals.
Interests: Technology, Music, Art, Reading, Writing, Learning, Comedy, Telecom, Entrepreneurship, Networking, Business, Social Media, Telephony, Movies, Documentaries, Computers, Domains, SEO, Blogging, Podcasting, WM3, Infosec, Free Speech, Politics, Different Cultures and Societies, Social Issues, Exploring the Unknown, Thinking, Sharing, Giving
Music: TOOL, Puscifer, A Perfect Circle, Slightly Stoopid, Widespread Panic, Alice In Chains, Mad Season, Sublime, Pink Floyd, Bob Marley, The Doors, Johnny Cash, MSI, O.A.R., RATM, 2Pac, B.I.G., Three 6 Mafia, Haystak, Lil Wyte, Muck Sticky
—-
How did you really know the safe web page link was safe to click?, or the data collected wouldn’t be misused? ;P This was just a demonstration but it could have easily been an XSS attack. Upon clicking it could have send out your cell phone#, and address on Twitter; from the info found on your private Facebook page for example. :)
Here is a basic explanation of this hack and for full technical details
Thanks @theharmonyguy
Update: The specific hole used to get the info has now been fixed, but the larger privacy problems still remain.
Further Reading:
- How Privacy Fails: The Facebook Applications Debacle
- Privacy needs pro-active security
- Privacy problems currently part of the Facebook Platform
- Account Shutdown – Seriously? (Updated)
- Rogue Facebook Apps Early Warning Group
- A few FAQs about privacy and security on Facebook
- When Google Latitude Stalking Isn’t Such A Bad Thing
- GPS tracking Mega Post
- Identity Theft and the Social Web
- Anonymity in the age of Web 2.0
- Still Don’t Think This is Serious?
- The Day Facebook Changed Forever: Messages to Become Public By Default (UPDATED)
