Forgot your password?
typodupeerror
Facebook Privacy Security Your Rights Online

Facebook Caught Exposing Millions of Credentials 159

Posted by CmdrTaco
from the oh-yeah-sorry-bout-that dept.
fysdt writes "Facebook has leaked photographs, profiles and other personal information for millions of its users because of a years-old bug that overrides individual privacy settings, researchers from Symantec said. The flaw, which the researchers estimate has affected hundreds of thousands of applications, exposed user access tokens to advertisers and others. The tokens serve as a spare set of keys that Facebook apps use to perform certain actions on behalf of the user, such as posting messages to a Facebook wall or sending RSVP replies to invitations. For years, many apps that rely on an older form of user authentication turned over these keys to third parties, giving them the ability to access information users specifically designated as off limits."
This discussion has been archived. No new comments can be posted.

Facebook Caught Exposing Millions of Credentials

Comments Filter:
  • ... so isn't this kind of a 'well duh' moment?
    • by spun (1352) <loverevolutionary@nOSPAm.yahoo.com> on Tuesday May 10, 2011 @04:45PM (#36087362) Journal

      Somebody needs to take a refresher course in "What is this 'news" thing, anyway?" Something that happens with utter predictability and regularity, like a dog biting a man, is never really news. But if a man were to bite a dog, or Facebook was caught protecting user information, then that would be news.

      • by kvothe (2013374)
        While what you say is true, there is still value in being reminded that such evils still exist in the world, rather than becoming bored and sweeping them under the rug.
        • While what you say is true, there is still value in being reminded that such evils still exist in the world, rather than becoming bored and sweeping them under the rug.

          "Publicity is justly commended as a remedy for social and industrial diseases. Sunlight is said to be the best of disinfectants; electric light the most efficient policeman."
          ~ Justice Louis Brandeis, 1914

          • by kvothe (2013374)
            While I would applaud your effort in supplying that quotation, I would also say that seeing and acknowledging that there is a problem are important first steps to then seeking remedy, just as it is helpful to be able see a crime being committed if you wish to then apprehend the criminal.
      • by Nyder (754090)

        Somebody needs to take a refresher course in "What is this 'news" thing, anyway?" Something that happens with utter predictability and regularity, like a dog biting a man, is never really news. But if a man were to bite a dog, or Facebook was caught protecting user information, then that would be news.

        Welcome to Slashbook, the web site dedicated to News for Facebook.

  • by Anonymous Coward

    Are you sure you want to unfriend Mark Zuckerberg? (Yes/No)

  • I was forced to log back into my Facebook account on my phone out of the blue last Friday. Perhaps that was them revoking access to all the old offline tokens?
  • Meh.. (Score:2, Insightful)

    FB is overrated anyway. And waay too many people use it as if it were their Twitter account.
    • Where are my mod points?!?

      I have actually started deleting people who post a lot of stuff in a short amount of time. If you have to post every thought that passes through you're head I have no interest in knowing you.

    • Lets use Incliq! or something like it. The only real way to ensure privacy is through a ssh/https tunnel to/from your friends' own servers...and with the $25 PC...all your friends having their own servers wouldn't be too nerdy....right?
    • Re:Meh.. (Score:5, Funny)

      by MobileTatsu-NJG (946591) on Tuesday May 10, 2011 @05:04PM (#36087564)

      FB is overrated anyway. And waay too many people use it as if it were their Twitter account.

      The big downside to Facebook around here is that it requires friends.

      • by Anonymous Coward

        FB is overrated anyway. And waay too many people use it as if it were their Twitter account.

        The big downside to Facebook around here is that it requires friends.

        You keep using that word, "friends", in the context of Facebook. I don't think it means what you think it means.

        • Actually it does mean what I think it means. The difference is that I have actual friends on my list instead of collecting confirmations like they're Pokemon.

    • by geekmux (1040042)

      FB is overrated anyway. And waay too many people use it as if it were their Twitter account.

      Uh, FB as Twitter? My apologies, I was unaware that I was polishing that FB turd the wrong way. Should I polish it in the same counterclockwise direction that the Twitter software spells out in it's specifications, or is this location-dependent? I am north of the equator.

      Translation: Facebook...Twitter...it's all the same shit

  • by grahamsaa (1287732) on Tuesday May 10, 2011 @04:33PM (#36087234)
    There should be a law requiring a fine for each user who's personal information is compromised as a result of bugs like this. My bet is that if there were, this type of thing would happen far less often. Of course, Facebook isn't the only company guilty of this type of thing -- and I suspect that until there is some serious consequence associated with this type of security hole, most companies won't take it seriously enough.
    • by KhabaLox (1906148)

      There should be a law requiring a fine for each user who's personal information is compromised as a result of bugs like this.

      Well, that would kill the internet pretty quickly, so it would certainly solve the problem I suppose.

      • Watch out when Copyright Superclick comes into law. By that I mean the various forms of the laws that would make streaming/accessing/viewing anything not the authorized source into a crime.

        I am floating the proposal that we make personal information just as prickly as copyrighted work. Then if Z had to pay $875,000 per shared profile times 20 million profiles he would wake up.

    • Yeah right. If they don't fine companies for exposing people's credit card numbers and SSNs, there's no way they're going to do it for exposing someone's DOB or address (which are generally public information to begin with).

    • by Amouth (879122)

      if that where so - any company with half a brain would realize it would be cheaper to relocate to another country (that would love to have them)

    • by vivin (671928)

      That's a very good idea. Something like PCI requirements, but for personal information.

  • Get thee to Congress and testify!
  • by drsmack1 (698392) on Tuesday May 10, 2011 @04:36PM (#36087268)

    Researchers note that they would have released this study much sooner, but their PCs were hamstrung by Norton Internet Security.

    • Re: (Score:2, Funny)

      by internerdj (1319281)
      "Researchers note that they would have released this study much sooner" Well they should have just posted the study to their facebook profiles as a private note then.
  • Bound to happen (Score:3, Interesting)

    by softWare3ngineer (2007302) on Tuesday May 10, 2011 @04:36PM (#36087278)
    These types of errors are bound to keep happening. Software is to large to find and fix everything. Not saying that it is right, or developers should give up, or software should generally be more secure than it is. But maybe we as users should keep this in mind when we put anything up on the Internet. Especially when dealing with sites like facebook.
    • by cpu6502 (1960974)

      I bet you'd have no problem finding security flaws in Commodore 64's GEOS. Or KolibriOS. It's so frickin' small that it's humanly possible to scan every line of code for security holes.

      Which is the key I think - software needs to be less bloated, so it's easier to debug.

      • by Dogtanian (588974)

        I bet you'd have no problem finding security flaws in Commodore 64's GEOS.

        No doubt. I'm sure it would be even easier to find security flaws in a 1KB ZX81 program, but you're not going to be able to write anything that'll even begin to meet Facebook's server requirements in something of comparable size to either, so it's a pointless example.

        Anyway, people hold up 8-bit code as a paragon of efficiency all the time. And it was... as far as it went. But 8-bit programs were generally very limited in what they could do, and it's impractical to use that design style for larger, more m

        • by cpu6502 (1960974)

          >>>people hold up 8-bit code

          Kolibri OS is not 8 bit mister "I don't read before replying" or use his brain. It's 32 bit, fits on a floppy, and is perfectly capable of running a facebook server. And therefore is easy to find security holes.

          • by Dogtanian (588974)

            Kolibri OS is not 8 bit mister "I don't read before replying" or use his brain.

            What makes your childish reponse more laughable and ironic is that if *you'd* been paying attention, you'd notice that the section quoted did not include mention of the Kolibri OS, because I wasn't replying to that, but specifically the part about the 8-bit Commodore 64. Is that clear enough for you "mister"?!

            That said, I *did* investigate Kolibri OS after you mentioned it. Regardless of how tightly it is coded, or how suitable it would be for running Facebook's server code, it does *not* follow that beca

    • by nospam007 (722110) * on Tuesday May 10, 2011 @05:52PM (#36087938)

      "Software is too large to find and fix everything."

      That's what Sony said.

  • by Anonymous Coward

    Working as intended

  • No? must be anon, it was an impossible to thwart attack, the 13 year olds are to blame not facebook.
  • by Troy (3118) on Tuesday May 10, 2011 @04:50PM (#36087424)

    to make a self-righteous post about how you don't use Facebook, and anyone who does is stupid.

    • to make a self-righteous post about how you don't use Windows, and anyone who does is stupid.

      The lions. I beard them.

      • I don't use Windows (except when it's appropriate to do so), and people who use it (without critically assessing their own needs from an OS and making an informed decision) are stupid.

        As for Facebook...it's just stupid. I stopped using it and deactivated my account.

    • by gatkinso (15975)

      I don't use Facebook. However I know several people who use it who are seriously hot (the fact that most of these people are stupid is out of scope to the point I was making).

  • by Anonymous Coward

    Your writing style will get you tracked. I remember when trolling a few years ago that someone guessed what ISP I was using.due to cross checks on multiple sites. If you are alive, your atoms will be tracked.

  • by HangingChad (677530) on Tuesday May 10, 2011 @05:46PM (#36087888) Homepage

    I assume Facebook is being back-doored by the feds, assume they sell information to advertisers, so the only difference here is that it was unintentional. So I keep my FB profile loaded with inaccurate, out of date information. Just seems like the best way to hide a tree is in a forest of misleading information.

  • You should have no reasonable expectation of privacy when posting ANYTHING to a social networking website.
    • You should have no reasonable expectation of privacy when posting ANYTHING to a social networking website.

      Absolutely right, Bob Walcott of 5098 Clay Street, Denver Colorado 80601, height 5 ft 8 weight 280 lbs, favorite soft drink coca-cola mixed with green koolaid, recently married until dinosaur pr0n collection discovered by wife.

    • by geekoid (135745)

      Of course you do, don't be daft.

      Just bear in mind privacy is about relationships.

  • Am I the only one that read this as "Facebook Caught Exposing Itself"?

  • Facebook staff have been amazed to discover [newstechnica.com] that when Facebook passes users' complete details to application developers and advertisers like candy, some of the partner companies might accidentally let slip the information in some manner.

    "We are appalled at this information leak," said Facebook founder Mark Zuckerberg as he took a break from his personal RSS feed of drunk women's tits posted to his service. "But I can assure you that we have sternly suggested to everyone involved that they take somewhat greater care not to get caught, and maintain a serious demeanor when rolling around in the great big pit filled with money in their basement."

    "I'm horrified and outraged," said office worker Brenda Busybody, 43 (IQ), "that stuff I put on the Internet is on the Internet. It violates everything I expect. I want privacy when I'm calling my boss a useless fuckstick to the entire world, all my coworkers and my boss himself. And when I'm playing a bit of FarmVille before we nick off down the pub."

    Privacy advocates are working on Diaspora, a security-enhanced social network so far populated by Linux users who cryptographically sign every update about which episode of Babylon 5 they just finished watching alone in their parents' basement. "START PGP KEY BLOCK!" said open source software advocate Hiram Nerdboy, 17. "WE WILL PROTECT YOUR FREEDOMS!" The next version of Diaspora will allow users to list more than three friends, should there be any demand whatsoever for such a feature.

    Facebook works on the now-standard "Web 2.0” business model: 1. Brutally sodomise the personal privacy of anyone who comes within a mile of your service and say "hey baby, I'm sorry" every time you're busted. 2. Sell ads.

  • Throughout history, we have given a wide berth to those who have made great leaps in technology. This is nothing compared with the railroads' liberties with property and human lives, same goes for mechanized automation, commercial shipping, and, of course, weaponry. We are entitled to get all verklempt over these things, but the world moves on anyway. Just feel lucky if you have not (yet) been crushed under the wheels of progress.

    BTW, there is a benefit to falsifying everything about yourself on your Fa
    • BTW, there is a benefit to falsifying everything about yourself on your Facebook page.

      Doesn't stop your sister posting "Hey brother why haven't you responded to my family request??"

  • by thepike (1781582) on Tuesday May 10, 2011 @08:59PM (#36089450)
    Infrastructures [xkcd.com]
  • Isn't Facebook's entire valuation based on violating user privacy? The ad piece of the business probably pales in comparison to being able to "accidentally" expose thoroughly mined and indexed personal information. It is probably the same thing for Zygna, the world's highest grossing "GAME" company, slowly recycling Pavlov's finest experiments.

  • Go to Facebook -> Account -> Apps and Web Sites -> Edit Your Settings ->Apps You Use -> Turn Off Platform Apps.

    Even that doesn't stop everything. Go to Account-> Privacy Settings -> Block LIsts. This is where you see the list of apps you've blocked from contacting you when run by others. But you can't actually block anything from there. You have to find the Facebook page of the annoying app (for example, FarmVille [facebook.com]) and then click on "Block App". Now, no more annoying Farmville messag

  • Hey guys - I work on the Dev Relations team at Facebook. We appreciate Symantec raising this issue and we worked with them to address it immediately as the article mentioned. Unfortunately, their resulting report has some inaccuracies. Specifically, we've conducted a thorough investigation which revealed no evidence of this issue resulting in a user's private information being shared with unauthorized third parties. In addition, this report ignores the contractual obligations of advertisers and developers w
  • Average Joe/Jane won't read it, and even if they do they'll think it's bullshit, or they will say that they don't have anything to hide on the Interwebz.
  • I don't put anything on a site like Facebook, Twitter or myspace even here that would bother me if it got out. I don't pay to use them so i expect hiccups and bug and hacks often. No if it was something like my evernote account which i pay for I would have pitchfork in hand ready to crucify their CTO & CEO for me research or personal info getting out.

APL hackers do it in the quad.

Working...