Stealing Data With Facebook

The most disturbing part of this story from the BBC (excerpts below) is that with a malicious application they were not only able to steal private information from users, but from the friends of those users who had not agreed to use the widget.

Full story: http://news.bbc.co.uk/2/hi/programmes/click_online/7375772.stm


We have discovered a way to steal the personal details of you and all your Facebook friends without you knowing.

Little games, quizzes, IQ tests, there are thousands of them available. And once you have added an application, your friends are encouraged to add it too.

Anyone with a basic understanding of web programming can write an application.

We wrote an evil data mining application called Miner, which, if we wanted, could masquerade as a game, a test, or a joke of the day. It took us less than three hours.

But whatever it looks like, in the background, it is collecting personal details, and those of the users' friends, and e-mailing them out of Facebook, to our inbox.

When you add an application, unless you say otherwise, it is given access to most of the information in your profile. That includes information you have on your friends even if they think they have tight security settings.

Did you know that you were responsible for other people's security?

Because these applications run on third-party servers, not run by Facebook - it is difficult for the company to check what is going on, whether anything has changed, and how long applications store data for and what they do with it.

But he added: "Morally, Facebook has acted naively."

He said: "Facebook needs to change its default settings and tighten up security."

He also believes it would be difficult to secure the current system because so many third party applications are now in circulation.

No comments: