jamie writes with news of a Facebook app developer who found a significant security hole while he was trying to get around function limitations for his application. Quoting:
"Luckily — just with browser AJAX requests — a flash application hosted on domain X is unable to open a file on domain Y. If this would be possible, domain X [would be] able to access content on domain Y, and when the user is logged in on domain Y retrieve and post back any personal data. In certain cases this could limit a Flash application's capabilities. ... To resolve such issues, Adobe (Flash's developers) introduced a 'crossdomain.xml' file which could allow certain domains to access another domain, leading to cross-domain access by certain or all domains. While indeed Facebook locked the front door from any non-Facebook domain access via Flash, a simple subdomain change allowed any flash application (domain="*") to access its domain data."
He found a similar problem in MySpace's crossdomain.xml. Both sites were notified, and they have implemented fixes.
I wonder how many people figured this out and didn't report it.
They didn't need to figure it out... Facebook lets people suck all that data out by making a game about vampires, pirates, farming, or god only knows whatever else is out there. Why go through the back door when the front door is already open and a welcome mat thrown out?
Exactly. If you are in the business of stealing a persons data you're probably a hacker. If you're a hacker you probably know some programming. If you know some programming you can throw together a Facebook game over the course of a weekend.
Then once 3 million people use your App - you can access their data....
Have they fixed that yet? They've been aware of THAT problem for months.
Game!? Hah! Throw together a 'quiz' and you'll have them signing up in droves. It's ridiculous.
As for as 'over the course of a weekend', I can attest to that. I managed to get Zend Framework to authenticate with Facebook and write the basic structure of a game in a weekend, while I was watching tv, playing games, reading both english and japanese, and I'm pretty sure I went out to see a movie, too. It's ridiculously easy to write something for Facebook.
People, do you not see the basic problem with using this joke in written format? Without a doubt this is a serious flaw in the English language: we are unable to use the "Don't call me Shirley" joke in written form because, while the words "Shirley" and "surely" are homonyms, the spelling is clearly different...
Ai propoz a simpl fix for this problem: Inglish speekurz shood standardaiz on a striktly phonetik sistem ov speling wurdz. Thas, thi standard "Shirley" jok wud bi exekyutid thus: "Shirly yu kant bi
Inglish speekurz shood standardaiz on a striktly phonetik sistem ov speling wurdz
Ok, is it spelled "kaw" (New England), Kower (south) Kore (midwest), Kwa (Nwoo Yawk)?
Is it window, winder, or windah?
And you spelled "uv" rong. See how this is such an incredibly BAD idea?
I did not spell "uv" wrong. The five vowels:
A E I O U
Take the following sounds:
Ah Eh EE Oh OO
This is in accordance with the usage of the vowels in other European languages, such as Spanish or Italian. Thus, the word "of" would be spelled "ov". "uv" would rhyme with "move"
Admittedly, some work would need to be done to refine the phonetic spelling system and to promote adoption and education of the new system. I figure in a generation or two we might be able to iron out these regional differences. Of cou
Yes, Airplane! is for the fine cultured palate. The comment wasn't meant to be funny, it was meant as social commentary regarding new technology. Now lets all spout out some Monty Python quotes and give each other handjobs with our pinkies curled.
It wasn't a joke, it was a popular culture reference. I'd imagine that you're neither popular nor cultured; that would explain your total failure to 'get it'.
Dude, what are you talking about?
It's a joke and a pop culture reference. I get it. I've seen "Airplane". I use this joke myself more than is really appropriate.
But every time a cherry of an opportunity for a "Don't call me Shirley" joke appears in text the opportunity is wasted by the fact that the difference in spelling pretty much kills the joke. It's as if, by the simple act of presenting the joke in written form, the entire funny part of it has been extracted and painstakingly explained at length.
Looks like I picked the wrong week to deactivate my FB account.
Why? I've been on facebook since late 2004 and have never used a single app. You'd have been perfectly safe if you never used them or only used ones which you absolutely trusted.
Wow...that's like the year FB started...back when it was The Facebook. Yet you have a 7 digit/. ID. Not sure what how much geekcred that averages out to.
Curiously few people seem to have gotten that. I've got an account named "John Doe" to try 'em out and another one which I add people I know to. Funnily, John Doe has several hundred friends already, despite not actually existing.
If I understand it, I have significant access to my friends' data on Facebook. When *I* sign up for an account, the app not only has access to my data, but any and all data I have access to. So you might not have given access to your data, but a friend might.
Plus, doesn't Facebook use Flash on a few of their ads? With the old crossdomain setting, Facebook's advertisers could also have gained access to your data.
Don't post anything on Facebook you aren't comfortable telling your friends, your boss, your wife, or any random stranger.
Facebook has nearly the equivalent of ACLs. Learn to use the groups and privacy functions. You can put people into groups and then give groups, or individual people access (or block access) to nearly any aspect of the site. (And I'm guessing by extension Apps that those people use).
Right now everything is locked down to the point that NO ONE can see anything by default. You can't even search me by name because I don't 'exist'. No pictures, no information, nothing.
So if someone in your "Family" group wants to find out what kind of left-handed vampire they are, then the app they are running has the same access to your profile that they do.
That's the problem. You might trust the person, but they are running apps that might not be as trustworthy, and those apps adopt their Facebook authority to run.
I agree, unfortunately there are a lot of people that don't realize this and will click on any and every cool looking app out there.
However, even if your Facebook account is compromised people need to realize that they should only be putting information on their page that they want the whole world to see. If people would just ask themselves one question "Am I ok with my [boss, wife, mom, complete stranger] knowing this" before posting a lot of issues could be avoided.
There went my plan for consulting for HR departments by checking Facebook and Myspace profiles. Guess I am stuck snooping Slashdot accounts and news sites for $10 a person.
It amazes me that facebook rose to prominence in the way it did. Out of all the sites I have ever used, Facebook is the worst when it comes to bugs. It simply floors me at how much bad code is pushed out to production servers or how many things break on a daily basis. I'm not talking simple copy bugs, but full on showstopping bugs. At one point, I was filing bug reports to them on a daily basis. If there is any qa department, it is incredibly lax. I'm guessing it's just a couple of interns sniffing for a gig. The only reason I'm using facebook is to grow my zombie blog, and once I reach a point where my traffic isn't dependent on that site, I'm dropping them like a friggin rock. And it will be a glorious day indeed.
What about the backdoor that lets you find someone's picture album and their profile if you have the filename of one of their pictures from the album (say, someone dragged the picture into a folder, and then e-mailed it or posted it on a message board, thinking that since they're not posting a link to the facebook photo they're anonymous)?
Regarding sanitizing the metadata, it's not apparent from just glancing at the filename that it contains this information. You have to know, and most people don't.
It could be relatively easily fixed, too... just use a script to generate the data and pass it in the path name, not the filename. E.g./image.php/123/456/789/arbitraryfilename.jpg. "arbitraryfilename" can be anything you want it to be, so long as image.php knows to ignore it.
I will agree with you that it's a small accomplishment to not have a social networking account anywhere. Mostly because everyone goes "sign up so we can do X together" or "sign up so we can be 'in a relationship' together" or whatever other viral method of spreading is popular today.
I still have an LJ account from around the time i first signed up at slashdot. *sigh* yes! i know that is a blog.. and yes i know that blogs aren't cool anymore. But what i discovered is that when it became uncool.. suddenly
There are actually accomplished non-asshole, intelligent, and fair-minded people here on slashdot. Somewhere... hidden among all the assholes.. probably..
Also, you are dead wrong:) data-mining anyone and everyone seems to be a very popular thing, whether you think the people are important or not.
I think you might be projecting a bit there. Lots of us have offline lives too. I don't have an account on any social networking sites either. I set up a mailing list for my friends to use to organise social activities. It's trivial for them to use: just send a mail to the address and everyone else gets it. Even the least technical of them can manage that, while a few of them have problems with Facebook. I don't get the shared online photo album stuff, but people show me photos at parties instead so I
I'm guessing those mods are the kind of folks who are very sensitive about the how many "friends" they have on social network sites, and don't like anyone raining on their parade - consequently supporting anyone who lashes out at people who don't need the constant sense of validation that social networks bring.
Huh. (Score:5, Insightful)
Re:Huh. (Score:5, Informative)
I wonder how many people figured this out and didn't report it.
They didn't need to figure it out... Facebook lets people suck all that data out by making a game about vampires, pirates, farming, or god only knows whatever else is out there. Why go through the back door when the front door is already open and a welcome mat thrown out?
Parent
Re: (Score:2)
Exactly. If you are in the business of stealing a persons data you're probably a hacker. If you're a hacker you probably know some programming. If you know some programming you can throw together a Facebook game over the course of a weekend.
Then once 3 million people use your App - you can access their data. ...
Have they fixed that yet? They've been aware of THAT problem for months.
Re: (Score:2)
Game!? Hah! Throw together a 'quiz' and you'll have them signing up in droves. It's ridiculous.
As for as 'over the course of a weekend', I can attest to that. I managed to get Zend Framework to authenticate with Facebook and write the basic structure of a game in a weekend, while I was watching tv, playing games, reading both english and japanese, and I'm pretty sure I went out to see a movie, too. It's ridiculously easy to write something for Facebook.
McCroskey (Score:4, Funny)
Re: (Score:3, Funny)
Surely you can't be serious?
Damnit, people, can you see the problem here? (Score:3, Funny)
Surely you can't be serious?
I am. And don't call me Shirley.
People, do you not see the basic problem with using this joke in written format? Without a doubt this is a serious flaw in the English language: we are unable to use the "Don't call me Shirley" joke in written form because, while the words "Shirley" and "surely" are homonyms, the spelling is clearly different...
Ai propoz a simpl fix for this problem: Inglish speekurz shood standardaiz on a striktly phonetik sistem ov speling wurdz. Thas, thi standard "Shirley" jok wud bi exekyutid thus:
"Shirly yu kant bi
Re: (Score:2)
Inglish speekurz shood standardaiz on a striktly phonetik sistem ov speling wurdz
Ok, is it spelled "kaw" (New England), Kower (south) Kore (midwest), Kwa (Nwoo Yawk)?
Is it window, winder, or windah?
And you spelled "uv" rong. See how this is such an incredibly BAD idea?
Re: (Score:2, Funny)
Inglish speekurz shood standardaiz on a striktly phonetik sistem ov speling wurdz
Ok, is it spelled "kaw" (New England), Kower (south) Kore (midwest), Kwa (Nwoo Yawk)?
Is it window, winder, or windah?
And you spelled "uv" rong. See how this is such an incredibly BAD idea?
I did not spell "uv" wrong. The five vowels:
A E I O U
Take the following sounds:
Ah Eh EE Oh OO
This is in accordance with the usage of the vowels in other European languages, such as Spanish or Italian. Thus, the word "of" would be spelled "ov". "uv" would rhyme with "move"
Admittedly, some work would need to be done to refine the phonetic spelling system and to promote adoption and education of the new system. I figure in a generation or two we might be able to iron out these regional differences. Of cou
Re: (Score:2)
No, because then how do you distinguish between the sounds in "of" and "over"?
Ah = [a]fter = aftr
Eh = [e]ffort = efert
EE = [e]ven = iven
Oh = [o]ver = ovr
OO = wh[o] = hu
but you still haven't covered several other vowel sounds:
AA = [a]pe
Ih = [i]gloo
II = [i]vory, [ey]es
Uh = [o]f, [a]ffect, [u]nder
Re: (Score:2)
Yes, Airplane! is for the fine cultured palate. The comment wasn't meant to be funny, it was meant as social commentary regarding new technology. Now lets all spout out some Monty Python quotes and give each other handjobs with our pinkies curled.
Re: (Score:2)
It wasn't a joke, it was a popular culture reference. I'd imagine that you're neither popular nor cultured; that would explain your total failure to 'get it'.
Dude, what are you talking about?
It's a joke and a pop culture reference. I get it. I've seen "Airplane". I use this joke myself more than is really appropriate.
But every time a cherry of an opportunity for a "Don't call me Shirley" joke appears in text the opportunity is wasted by the fact that the difference in spelling pretty much kills the joke. It's as if, by the simple act of presenting the joke in written form, the entire funny part of it has been extracted and painstakingly explained at length.
T
Re: (Score:2)
The one where people have actually watched the movie "Airplane!"
Re: (Score:2)
Looks like I picked the wrong week to deactivate my FB account.
Why? I've been on facebook since late 2004 and have never used a single app. You'd have been perfectly safe if you never used them or only used ones which you absolutely trusted.
Re: (Score:2)
Re:McCroskey (Score:5, Interesting)
Curiously few people seem to have gotten that. I've got an account named "John Doe" to try 'em out and another one which I add people I know to. Funnily, John Doe has several hundred friends already, despite not actually existing.
Parent
Re:McCroskey (Score:5, Insightful)
If I understand it, I have significant access to my friends' data on Facebook. When *I* sign up for an account, the app not only has access to my data, but any and all data I have access to. So you might not have given access to your data, but a friend might.
Plus, doesn't Facebook use Flash on a few of their ads? With the old crossdomain setting, Facebook's advertisers could also have gained access to your data.
Don't post anything on Facebook you aren't comfortable telling your friends, your boss, your wife, or any random stranger.
Parent
Re: (Score:2)
Don't post anything on Facebook you aren't comfortable telling your friends, your boss, your wife, or any random stranger.
It's sad you have to tell people this.
It's like putting up fliers on telephone poles and signing your name (and picture) with it. And then asking how people found out.
Re: (Score:2)
Facebook has nearly the equivalent of ACLs. Learn to use the groups and privacy functions. You can put people into groups and then give groups, or individual people access (or block access) to nearly any aspect of the site. (And I'm guessing by extension Apps that those people use).
Right now everything is locked down to the point that NO ONE can see anything by default. You can't even search me by name because I don't 'exist'. No pictures, no information, nothing.
I have "Family", "Friends", "Acquaintances"
Re: (Score:3, Informative)
So if someone in your "Family" group wants to find out what kind of left-handed vampire they are, then the app they are running has the same access to your profile that they do.
That's the problem. You might trust the person, but they are running apps that might not be as trustworthy, and those apps adopt their Facebook authority to run.
At least that's how I understand it.
Re: (Score:2)
I agree, unfortunately there are a lot of people that don't realize this and will click on any and every cool looking app out there.
However, even if your Facebook account is compromised people need to realize that they should only be putting information on their page that they want the whole world to see. If people would just ask themselves one question "Am I ok with my [boss, wife, mom, complete stranger] knowing this" before posting a lot of issues could be avoided.
Re: (Score:2)
Re: (Score:2)
Maybe someone can help you with that? Whether you know it or not?
Damn (Score:2)
There went my plan for consulting for HR departments by checking Facebook and Myspace profiles. Guess I am stuck snooping Slashdot accounts and news sites for $10 a person.
Re: (Score:2)
Maybe YOU can be the one at Facebook instead, if you offer enough cash, but they might be better able to figure out who you are.
Facebook is a buggy mess (Score:5, Insightful)
Re: (Score:2)
Out of all the sites I have ever used, Facebook is the worst when it comes to bugs.
I see you've never been to slashdot.
Re: (Score:2)
Out of all the sites I have ever used, Facebook is the worst when it comes to bugs.
All three of them?
Now if only Adobe would... (Score:2)
Remove Flash's ability for cross-domain cookies. Browser plugins should use the browser's cookie storage, IMO.
Re: (Score:2)
I'm wondering... (Score:2)
What about the backdoor that lets you find someone's picture album and their profile if you have the filename of one of their pictures from the album (say, someone dragged the picture into a folder, and then e-mailed it or posted it on a message board, thinking that since they're not posting a link to the facebook photo they're anonymous)?
Will they ever fix that?
Re: (Score:2)
It also allows you to see all the other photos in that album, even if the album isn't publicly accessible.
Re: (Score:2)
Regarding sanitizing the metadata, it's not apparent from just glancing at the filename that it contains this information. You have to know, and most people don't.
It could be relatively easily fixed, too... just use a script to generate the data and pass it in the path name, not the filename. E.g. /image.php/123/456/789/arbitraryfilename.jpg. "arbitraryfilename" can be anything you want it to be, so long as image.php knows to ignore it.
Facebook Spam (Score:2)
Am I the only one who's been getting a shitload of FaceBook spam recently?
Re: (Score:2, Insightful)
Well, it is an achievement, much in the same way that not eating a bucket of KFC everyday is an achievement
Re: (Score:3, Funny)
I feel it as a personal accomplishment I *dont* have social network accounts on Facebook, Myspace and alike.
Well, you say that but we all know it's because you don't have any friends.
Re: (Score:2)
Hey, you're right! [slashdot.org] He does have one fan, [slashdot.org] though.
Re: (Score:2)
It's so I don't have to be like you and brag about your mega-uber friend list which is solely derived off your MySpace hit counter.
Instead you can brag about how you're too good to have an account on any such sites.
I think The Onion needs to do a follow-up to the feature article about the man who doesn't have cable television.
Re: (Score:2)
I feel it as a personal accomplishment I *dont* have social network accounts on Facebook, Myspace and alike.
Wait, so that's a fake you on FB whose last status update was "I <3 my little ponies"? I can't be your friend any more. I like the FB you better.
Re: (Score:2)
I will agree with you that it's a small accomplishment to not have a social networking account anywhere. Mostly because everyone goes "sign up so we can do X together" or "sign up so we can be 'in a relationship' together" or whatever other viral method of spreading is popular today.
I still have an LJ account from around the time i first signed up at slashdot. *sigh* yes! i know that is a blog.. and yes i know that blogs aren't cool anymore. But what i discovered is that when it became uncool.. suddenly
Re: (Score:2)
There are actually accomplished non-asshole, intelligent, and fair-minded people here on slashdot. Somewhere... hidden among all the assholes.. probably..
Also, you are dead wrong :) data-mining anyone and everyone seems to be a very popular thing, whether you think the people are important or not.
Re: (Score:2)
There are actually accomplished non-asshole, intelligent, and fair-minded people here on slashdot.
Those would be the zealots.
Re: (Score:2)
Zealot isn't like a class you pick when you signup for slashdot... though maybe a class system would clear the air a bit
Just saying! hah.
Re: (Score:2)
Re: (Score:2)
Zealot isn't like a class you pick when you signup for slashdot...
Yeah, you have to spend at least a couple months as a Marine or Zergling first.
Re: (Score:2)
Re: (Score:2)
You aren't important enough for anyone to want your information.
Incorrect if...
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)