Facebook plugs email address indexing bug
Incident-prone social network monolith Facebook has plugged yet another security leak, this time involving the indexing by search engines of email addresses not listed on Facebook. Thousands of email addresses submitted using Facebook's "Find a friend" feature that were not tied to a Facebook account wound up getting indexed by …
That's the problem with open infrastructures like Facebook's, as soon as you introduce user controls for privacy and permissions then you add the ability for lusers to get these things wrong. Somehow with Facebook being a website though they get a lot more stick than Microsoft do for the same issues on the Desktop.
"Facebook changed its robot.txt file to prevent the search engine from indexing the relevant "opt out of emails from Facebook" page so that email address data can no longer be harvested by spammers or other miscreants."
What's to stop the spammers, etc from writing their own web-crawler which simply ignores the robots.txt file? Such a move is hardly beyond the scope of most semi-organised gangs.
Yes but when Zuckerberg's advisers tried to explain that to him, using lego models and everything, they found that it was well beyond the scope of Mark's understanding - and gave up.
Yup, too difficult to fix properly, so work around it.
Change the form header from "Opt out of emails from Facebook" to "Opt in to emails from absobloodylutely everyone except Facebook".
That should do it.
So the bugs are piling up, some days and weeks s**t happens, that's the nature of IT.
BUT the users gave Facebook their email addresses, they typed them into a form at some point, even if they did not want them published. Bit of blind faith here.
When will people learn that when you give information to another party, you also give them total control. Even if they are not malicious, they may, like the DVLA, sell it, or give it to 'partners' or just plain lose it.
Whatever you type in to websites, (or even local applications), you are trusting the other party not to screw up or screw you over.
...it was the feature where someone else gives your email address to Facebook, to be told when (or if) you join Facebook. So no action from you, just your (so called) friend.
Personally, I'd hope my friends would never submit my email address anywhere without checking with me first, but Facebook does make it very easy by offering to "Search your email for friends already on Facebook". And no doubt FB keep all the addresses they find, just in case...
"BUT the users gave Facebook their email addresses, they typed them into a form at some point, even if they did not want them published. Bit of blind faith here."
Actually, the problem is that _other_people_ are entering your e-mail address in the hope of finding you on facebook. And when no match is found (because you haven't given facebook that info), search engines were still able to index your e-mail address.
This is not a problem caused by the users - even if you didn't have a facebook page, your e-mail address could still be indexed.
You'd hope that the likes of the DVLA has opt-in/opt-out boxes as to not sell our info to any Arthur Daley type.
Although having said that, what with the election having recently happened, plenty of Arthur Daley's seems to have bought the election register GRRRRRR! and I'm including policial parties there!
But plenty of spam for all these poor people having their email listed, surely the ICO should get involved ... download it to a USB for a NHS or MOD employee to have stolen from their car, which later is stolen.
Fixed it for you - I thought it was the done thing for all things facebook?
I've never used Facebook, but I've gotten the occasional invitation to join. What bothers me is that it 'suggests' people as friends to contact. The people in question are indeed people I know, but to my knowledge have absolutely no connection other than that they know me, and presumably have all done a search on Facebook for my email at some point.
Just like doc spock relates above.... robots.txt is not a security protocol.
And it's not just miscreants, major search engines reserve some rights to still spider (but not include in their public index) stuff that they are told not to look at via robots.txt. And there's all the silly parasitic bots appearing in the Amazon cloud, goober bots like 80legs, and all the corporate sponsored bots that tend to ignore robots.txt entirely.
I'm a bit confused by the " those exposed have their so-called mates to thank for any exposure" statement... why are people who search for email addresses to blame for search engines being able to index the email address?
Why is that email address retained in a publically accessible way by facebook in the first place?
Sign up, sign up for The Register's weekly IT security newsletter - click here
