Facebook App Exposes Abject Insecurity 205
Posted
by
CmdrTaco
from the pay-no-attention-to-the-hole-in-my-pants dept.
from the pay-no-attention-to-the-hole-in-my-pants dept.
ewhac writes "Back in June, the American Civil Liberties Union published an article describing Facebook's complete lack of meaningful security on your and your friends' information. The article went virtually unnoticed. Now, a developer has written a Facebook 'Quiz' based on the original article that graphically illustrates all the information a Facebook app can get its grubby little hands on by recursively sweeping through your friends list, pulling all their info and posts, and showing it to you. What's more, apps can get at your information even if you never run the app yourself. Facebook apps run with the access privileges of the user running it, so anything your friend can see, the app they're running can see, too. It is unclear whether the developer of the Facebook app did so 'officially' for the ACLU."
Re:Really? (Score:5, Informative)
Re:Really? (Score:5, Informative)
As the app in question demonstrates, you do not personally have to install an app in order for the app to see your Facebook information; a friend who installed could give it the same level of access.
Re:There is no insecurity at all. Move along. (Score:2, Informative)
Actually you can:
http://www.facebook.com/home.php#/privacy/?view=platform&tab=other [facebook.com]
Simply untick all the boxes there.
Re:Privacy is simple (Score:3, Informative)
Disabled (Score:2, Informative)
Facebook/Firefox fail (Score:4, Informative)
That Facebook quiz page puts Firefox 3.5 into a loop at:
"Script: file:///D:/Program Files/Mozilla Firefox/modules/XPCOMUtils.jsm:260"
FAIL.
Re:Really? (Score:2, Informative)
You have no reasonable expectation of privacy in your email communication.
That's only true in a business setting, and only in relation to your employer, on your employer's mail server.
Your employer has the right to read your email. You work for them, your email is basically your work product, and they can do whatever they want with it.
Your personal email account is another matter entirely. Your email can be subpoenaed, but that requires a court's intervention. Your ISP can't just post your email on a public web page and expect to get away with it. They can access your email because it's on their servers, and they have to comply with law enforcement requests that have court orders behnid them, but if a private investigator working for your wife wants to get information from your email about your infidelity (assuming you were stupid enough to email your paramour), they wouldn't legally be able to hand over the information.
Re:Really? (Score:3, Informative)
The ACLU's app lies.
When a friend installs an app, it has full access to everything _your friend_ can see in your profile, not the same level of access as an app you install yourself would have.
It doesn't magically grant the app more rights to see stuff than the user installing it already has.
Re:Tracy sure didn't get it... (Score:4, Informative)
Tracy's account was hacked by 4chan.
4chan hacked a christian dating site, and got a list of details and passwords contained on it's servers in plaintext. Not sure of the details (whether the users of the site just had the same passwords for that and facebook or if some other step was involved), but they used this to gain access to hundreds of facebook accounts.
They then proceeded to do their typical 4chan thing and post fake messages, porn, goatse, "coming out" messages etc. on all the compromised accounts. This was one of them.
Don't blame Tracy. She didn't post that.
Blame the Christian dating site for insecurity.
Blame 4chan for being 4chan.