BBC hacks Facebook

[palgrave]

This BBC article is quite interesting. They reckon anybody with basic web programming skills can steal personal details from Facebook.

I don't use Facebook or any other social network site, but what I found quite interesting was the implicit notion that web 2.0 users have the right to create their own internet experience, but the responsibility for the safety of the information they use to create that experience lies with those who create the framework for that experience.

I don't have a strong opinion on this, but I would probably tend towards an argument that places more of that responsibility on users in order for this particular aspect of web 2.0 to reach its potential.

My ambivilence would stem from the obvious fact that if I was the owner of Facebook I would want this capability stamped out immediately, and I guess as long as these "user-created" environments are created/owned by corporations they aren't really what they let on they are.

If that doesn't make sense to anybody I'm not surprised, coz I only half know what I'm getting at.

[JimmyP]

I don't think it's too big a deal. The information that can be obtained by apps is not too harmful (name, hobbies. interests etc.).

Obviously I can see the potential danger of this but I can't see why the BBC is claiming this as their discovery - this method has been talked about before amongst developers. It's nothing new!

I think this feature in question is central to the success of Facebook and similiar applications. - It would be a very bad idea to stamp out user-generated apps/content.

There is a problem with this particular BBC article - it's implying that any <advisor snip> can pull it off - and that it only needs very basic skills. I doubt this is actually the case.

All the BBC is trying to do here is the same as what they are always trying to do - generate fear and uncertainty amongst the masses!

[plumsauce]

The BBC article points out that their "resident coder" took 3 days to put the app together. That is hardly implying that any jackass can do it.

What it *does* point out is that any <moderator snip> can be a victim of such a program. Even if said person is not the direct user, but rather, is in the chain of permissions granted as a "friend".

That's like leaving the house key under the doormat, while all your friends' emergency sets of house keys are hung on a hook just inside the door. With handy identifying tags on them of course. The better to enhance the user experience no doubt.

[zero_digit]

wow that's an eyeopener, what did facebook says when they heard this, are they act on it?....a big flaw like that will make the company and users ti it's downfall....

[ro0bear]

I’m no fan of face book, Its like a nice little lake that all kinds of unsavoury people sit around fishing for the clueless fish.

I worry about some of my friends and family using it because of the vulnerabilities it brings to the table, through identity theft, paedophilia and more.

Its also becoming more common for an employer to check an employees or potential employees face book account, so if they don’t like what they see it could have serious implications on your career.

I guess I just value privacy.

ro0bear

[Sgt. Baboon]

I’m no fan of face book, Its like a nice little lake that all kinds of unsavoury people sit around fishing for the clueless fish.

I worry about some of my friends and family using it because of the vulnerabilities it brings to the table, through identity theft, paedophilia and more.

Its also becoming more common for an employer to check an employees or potential employees face book account, so if they don’t like what they see it could have serious implications on your career.

I guess I just value privacy.

ro0bear

If you have stuff so bad on Facebook that a potential employer would not hire you, you have bigger issues than Facebook.

[webnoob]

The BBC article points out that their "resident coder" took 3 days to put the app together. T

The article actually says it took less than 3 hours, not days

They say they hacked it but the worse information they get is a name, school or hobby! If users don't want that visible, they shouldn't put it on something like Facebook .. period!

[c2uk]

In the video they mention they got the date of birth, home town and employer.

[ro0bear]

If you have stuff so bad on Facebook that a potential employer would not hire you, you have bigger issues than Facebook.

I dont use facebook, but I have heard of exactly that happening. A police man got fired for posing in his uniform (in a gay manor).

ro0bear

[jimbo_dk]

This also bring up the issue of social responsibility as developers.

[mkoenig]

Yeah... but im sure they didnt know the flaw was there?

[oxylus]

I think they are blowing this way out of proportion, however privacy is still somewhat of an issue, people should be a bit more paranoid about what they put on public sites.

[palgrave]

what did facebook says when they heard this, are they act on it?

According to the BBC, this is what Facebook had to say.

[php_daemon]

Yeah, well as in one of the comments is said, everything you post on the Internet can be read by anyone. In my case, with my personal information I post, anyone can't do much. But things like no identity cards in UK make me shiver. I'd think twice about giving any personal details on any site at all, if I lived in UK.

This is a serious issue in countries like UK, and that concerns more than just facebook.

[ro0bear]

The average teenage facebook user sees facebook as a responsible corperate website who would never let you do something that would endanger their safety. They are also ignorent as to what infomation you should put on the internet, what information you shouldnt, and what some people could do with the information they provide.

I think websites like facebook should recodnise this, and take more steps to help educate people who use their site about what information you shouldn't put on the internet. When signing up maybe a "The Golden Rules" page that just gives a simple and brief overview of what information you should never put online.

In particular, it should be made clear to not say anything about where you are going in the future. For instance, there was an instance I saw where a girl wrote on her facebook or myspace (cant remember which) to a freind about a school trip to somewhere in london, and even mentioned the time they would be there. A man (who had been posing as a teenage boy on the site) stalked her to the trip, walked past and stoked her back. Obviously she was a bit freaked out, especially when he kept following her, so she took a photo of him with her mobile phone and told the police. The police identified him from the photo, checked his computer and found child porn, and a myspace (or facebook) account where he was posing as the teenage boy, and had hundruds of young girls as facebook (or myspace) friends.

just one example.

If you saw a teenager walking round a crowded city with holding up a big sign with lots of pictures of him/her, his/her age, hobbies, school, friends, conversations etc, wouldnt you go and tell him/her that its not a great idea?

ro0bear

[jylyn]

I'm not that talented a coder and I've made a facebook app myself. Any FB app you install has access to all your personal data (not so much the list of hobbies, but definitely date of birth, address, relationship status etc).

According to the FB privacy rules, apps are not allowed to store this information and must re-request it from the FB servers every time you use the app. In reality, there's no way for FB to know if the developer is storing those details because, like the article said, the scripts aren't stored on FB's servers.

Basically if you've ever installed any FB app, you might as well assume that info has been stored, even if you uninstall the app. Hopefully most of the developers abide by the rules, but you can pretty much guarantee that some don't.

*edit: My mistake, a developer can't get your address. But they do have access to your country, city, and any networks you belong to, eg. your school or workplace.

[jylyn]

Yeah... but im sure they didnt know the flaw was there?

FB know, and they don't care. Their default answer will always be "yes, but a user can choose not to allow that application access to their data." This is true, but what they don't say is if you don't allow access, you cannot install the application.

[magicman6452]

Yeah, well as in one of the comments is said, everything you post on the Internet can be read by anyone. In my case, with my personal information I post, anyone can't do much. But things like no identity cards in UK make me shiver. I'd think twice about giving any personal details on any site at all, if I lived in UK.

This is a serious issue in countries like UK, and that concerns more than just facebook.

True, information can be viewed by anyone.

But, it i possible to stop search engine especially from including certain pages with their results.

As a result of this, unless you know the exact prime location of the information, information can't be displayed by just anyone!

Correct me if I'm wrong!

[php_daemon]

True, information can be viewed by anyone.

But, it i possible to stop search engine especially from including certain pages with their results.

As a result of this, unless you know the exact prime location of the information, information can't be displayed by just anyone!

Correct me if I'm wrong!

That's just details. But the point is that to stay secure, don't post anything you don't want to be abused.

[ioncube]

One of the things said by those who give advice on how to minimise the chance of identity theft is not to disclose your birthday as this is one of the common security questions used by organisations to verify identity. Yet innocent, trusting and possibly naive visitors are regularly encouraged to impart this information to social networking sites, forums and the like, without any warning that doing so may be a risk and that giving a false answer would be better.

Other television programmes in recent months have similarly shown how sites such as facebook and others allow detailed information about persons to be obtained, all of which is gold dust to would be identity thieves.

It would be refreshing to see such websites demonstrating social responsibility by having educational resources provided concerning identity theft, and to recognise that their members would probably willingly trade pointless fluff features such as an email on their birthday for a lower probability of having their credit history ruined and debt collectors coming to the door.

[ro0bear]

One of the things said by those who give advice on how to minimise the chance of identity theft is not to disclose your birthday as this is one of the common security questions used by organisations to verify identity. Yet innocent, trusting and possibly naive visitors are regularly encouraged to impart this information to social networking sites, forums and the like, without any warning that doing so may be a risk and that giving a false answer would be better.

Other television programmes in recent months have similarly shown how sites such as facebook and others allow detailed information about persons to be obtained, all of which is gold dust to would be identity thieves.

It would be refreshing to see such websites demonstrating social responsibility by having educational resources provided concerning identity theft, and to recognise that their members would probably willingly trade a lower probability of having their credit history ruined and debt collectors coming to the door for pointless fluff features such as an email on their birthday.

Well said

ro0bear

[LogicFlux]

I don't think this is a very big deal.

[Jonny]

I'm no programmer, but I'm confident that pretty much any web application could be 'hacked' given enough time, resources and expertise. This shouldn't be blown unnescessarily out of proportion.

[php_daemon]

I'm no programmer, but I'm confident that pretty much any web application could be 'hacked' given enough time, resources and expertise. This shouldn't be blown unnescessarily out of proportion.

Yes, but in this case they are giving out the data to developers, it's not even hacking per se.

[rosem]

In the video they mention they got the date of birth, home town and employer.

I openly give this information away on my facebook account/page anyway... "Hackers" are only going to be able to pull information you submit, as long as their not getting my SSN or things like that, oh well...