Facebook bug spills name and pic for all 500 million users
A bug in Facebook's login system allows attackers to match unknown email addresses with users' first and last names, even when they've configured their accounts to make that information private. The information leak can be exploited by social-engineering scammers, phishers, or anyone who has ever been curious about the person …
With all the kerfuffle about what Google do and how they do/don't keep information secret, I really hope/wish the same political pressure would be brought to bear on Facebook. I think they're far more irresponsible than Google.
Facebook aren't really.
Not until they store your complete email archive (even corporate or school/uni email may not be safe as a lot of companies outsource email storage to Google), together with photos and locations of everywhere you go (including your home), together with your search history and browsing habits.
And yes, apparently if you *ever* sign in to to any Google Service, they do log your search history, and any site using Google Adwords will be logged and tied to your ID.
The major difference between Google and Facebook with regard to data storage is simple: Any data on Facebook is put there by you, so you know about it. Google store data on you without you even being aware of it.
Regarding this bug, I don't know that I am bothered. The only email addy I have on my Facebook (in fact the only non-facebook contact method I have on my facebook profile) is a hotmail one I set up years ago purely to collect spam. My name is publically accessible regardless of whether it's on Facebook or not. It's even at the head of this post.
I love that word "apparently" - it allows me to project opinion as fact. I'm sure you're more sensible, but some evidence to support your statement would make it's verifiability more ... apparent.
I'm curious why you draw the line at "I only signed up to a service", the user has still made a concious effort to join the Google crowd. Should they decide not to then they can forgo all the privacy concerns you listed.
At least, to date, none of my private sales/searches/emails have been susceptible to theft because of Google and yet numerous personal details will have been leaked by Facebook's poor privacy standards.
I don't see why they'd allow applications access to profile information anyway, it's just not necessary for the vast majority of typically used services.
They don't pretend to be anything but a leaky cross-reference (and great conduit for disinformation). The Googs act all noble and benevolent while leading us to their vision of cloud based cyber-utopia.
You've asked Zuckerberg this, himself, then, and he replied "Honestly, Dave, I don't pretend to be anything but a leaky cross-reference."
Did he go on to explain how a leaky cross-reference can end up being worth $4 billion, because I'd like to know.
as would we all. Bottom line its worth about its current revenue streams and nothing else.
Damn, I got some facebook links, I wonder if I should ban facebook.com as a rogue website? To protect MY OWN users.
to see this bug exploited in shorter order.
YMMV.
It was Shakespeare who gave the line: "For tis the sport to have the enginer Hoist with his owne petar" to Hamlet in 1602 - for an explanation see: < http://en.wikipedia.org/wiki/Petard > - and Facebook is a wonderful example.
Facebook subscribers have no one to blame for their public exposure as the web site has behaved as immaturely as it's purported owner. There have been plenty of warnings that privacy should not be expected either by technology failings or malicious intent of the web site operators.
If you want your privacy, don't publish your information anywhere.
> If you want your privacy, don't publish your information anywhere.
Quite right.
FWIW, my most of my Facebook account is as open as a hookers legs, because I don't consider anything I put there private - some of my basic information is set as private, but the information I absolutely do not want shared isn't on Facebook to begin with.
I would like to take Atul Agarwal of Secfence Technologies to task, though - the article quotes him as saying "Facebook users have no control over this, as this works even when you have set all privacy settings properly" - I have set all my privacy settings "properly" but that's with a definition of properly that differs from the one in that quote. "Properly" means they are set how I want them to be set, but in the context of the quote it means everything is locked down for absolute privacy (or whatever value of the word privacy applies when it comes to Facebook).
To be totally honest, it annoys me when people lock things down like that - how in the holy hot-rodding hell am I supposed to work out if the Joe Bloggs I see on Facebook is the Joe Bloggs I used to know, when I can't see where he lives, who his friends are (and who our mutual friends are), and so on. But that's heading off topic somewhat. :)
That one's easy. You send him a message and include some of the shared information.
You agreed with the comment about protecting private information by not giving it to Facebook. Not so. Trivial counterexample: One of actual friends (not to be confused with the debased sense of "Facebook Friend") posts a group picture and captions your name. Ugly (but not nearly the ugliest possible) counterexample: Scammer steals some of your personal information and creates a fake Facebook page in your name to scam your friends.
Facebook is a REALLY bad idea.
Someone needs to create an alternative system that starts from a Golden Rule of Privacy Principle. If you want to see some of my personal information, you have to agree to share the corresponding personal information with me, and we BOTH have to agree in advance before any actual information is exchanged.
Privacy Protection Corollary 1: My personal information should belong to me, NOT Facebook or Microsoft of Google or Apple or ANY other humongous corporate monster, and I should be able to make them delete the entire package of MY personal data at ANY time for ANY reason. (There should be a download option, and they can include checksums to prevent tampering.)
Privacy Protection Corollary 2: If my personal information belongs to me, unauthorized gathering should be a presumptive crime. In the Facebook-type of situation, they are acting as authorized guardians of my privacy, and they should watch for and go after harvesters with the biggest lawyer holding the biggest stick possible.
> That one's easy. You send him a message and include some of the shared information.
Not so easy if their settings prevent this - you can choose to receive messages only from friends. You can attach a message to a friend request, which can be locked down as far as friends of friends, IIRC, but then being able to send such a message assumes you do have mutual friends on Facebook - which might not necessarily be the case, if the other person has only recently joined. Or it could be the case if the person is a nasty mean grumpy bastard like me who at one point got so pissed off with his friends and family proliferating panic-status updates and so on that he deleted everyone then started again.
> You agreed with the comment about protecting private information by not giving it to Facebook.
> Not so.
Yes, yes I did - and I stand by that.
> Trivial counterexample: One of actual friends (not to be confused with the debased sense of > "Facebook Friend") posts a group picture and captions your name.
You can caption any picture, anywhere, with anyone's name, so I fail to see the relevance. If you mean tagging, which is slightly different, then if someone tags your name such that it is linked to you, you can detag it - and they won't be able to tag it that way again. They can tag it without linking it - but that's really no different to a caption.
> Ugly (but not nearly the ugliest possible) counterexample: Scammer steals some of your
> personal information and creates a fake Facebook page in your name to scam your friends.
Interesting concept, but unless someone joins Facebook and connects with their friends and family on the site without ever mentioning it to those they are in contact with currently, in the real world (which somehow seems natural to me, but maybe I'm just a little bit crazy) then I think it's a non-starter.
Only once someone has established contact with a good number of their current real world friends and family should they be thinking about contacting people they once knew, a long time ago, IMO - but then that brings us back to your first argument; about contacting people and asking if they're the Joe Bloggs I knew from x years ago: If that's a scammer, pretending to be Joe Bloggs, then he might say yes anyway intending to scam me. Having an open friends/mutual friends list is therefore more secure by your own example, isn't it?
> Someone needs to create an alternative system that starts from a Golden Rule of Privacy Principle.
Good idea. Let me know when you've got it up and running, and I'll think about joining it.
I don't want to share my face, email etc with someone just because they knew someone with a similar name (especially bad for common names).
If you want to know if he is the person you are looking for send an email/invite to find out.
If they are the proper person and they want to talk they can respond.
I got along with everyone OK, but I can see how some people just wouldn't want to be looked up by some of the people they once knew.
concerns about corporations holding lots of personal info always gets easily chalked up to paranoia, but having companies like Google and Facebook unchecked is scary. History is full of examples of those with power abusing it. Can you imagine what Stalin or Hitler could have done with such tools? Are modern democratic countries totally immune to falling under the power of a dictator like these goons? (remember facts seem to show Bush ruled the US unelected for 8 years) Something as simple as a name or picture, can show you complexion, race and names alone can give sometimes give an ethnic heritage.
The US Constitution provides a strong legal protection for privacy, and the forefathers were wise enough to see the perils of the state (or any org) holding too much information over people, though they would spin in their graves at the nanny state we have become.
We should hold our congressmen responsible for making legislation that would force ALL internet companies to allow users to review their own data that is held, and have the chance to opt out of such reporting. The credit bureaus were finally forced to pretend to do this, and now we have at least a little control over the data they hold over our lives. Its time Google and Facebook are reigned in and forced to respect the right to privacy (looking at Google here, for all its problems Facebooks seems to be trying, they just are guilty of being shitty web site coders. (not a good resume builder these days, web site coder for facebook)
> If you want to know if he is the person you are looking for send an email/invite to find out.
Like I said in reply to Shannon, that's not always possible, depending on their settings.
As you say, though, it could be that they don't want to add old acquantances as friends on Facebook - which is fair enough, each to their own, etc, but surely it makes more sense for those old acquantaces to be able to identify them as, well, them, and try to make contact, at which point they can say "Yes, I am indeed the person you think, but I don't want to add you as a friend on Facebook" - rather than leave them wondering "Is that him, or not?" (and possibly look again, and again, or pester other people with the same name...)
(The only people I can reasonably understand that level of lock-down are celebs and what not, who don't want to be constantly receiving messages and friend requests from plebs.)
I'm amazed at what people will unwittingly publish. Like many people I use a hotmail account for facebook, and keep this isolated from anything serious I do online (banking, etc.) When I first signed up to Facebook I used one of it's tools to search for friends using my hotmail contacts. It found a recruitment agent I'd been in touch with and she used a pretty raunchy photo of herself as her main profile pic and was quite explicit in the personal details she made visible - all of this linked to her corporate email address.
"Harvesting this data is very easy, as it can be easily bypassed by using a bunch of proxies."
What can be bypassed exactly? It doesn't mention any security measures that would need bypassing. Sounds like a mountain out of a mole hill given how most people have their full names either in or linked to their e-mail addresses these days. If you've got an e-mail address you want to use for some anonymous purpose why the hell would you sign up to facebook with it?
This ones easy, If you would try this using just one IP you'd be banned shortly for failing to login over and over. If you try the same thing from behind over 9000 proxies their IDS would not notice and you don't get a ban.
The IDS thing is probably the one thing that Facebook got right security wise. On the other hand it is to harsh for my taste sometimes. It's not like I'd put anything I consider worth something on Facebook.
... of the total, or just the bit that Zuckerberg doesn't owe to the firewood merchant? Did MS buy the stake from Paul Ceglia, along with a batch of other 'anti-Jobs' devices (assuming Ceglia does a line in silver bullets and that van Helsing is on staff to supervise handling of the stake)?
I use a unique-to-Facebook email address so I don't think anyone would manage to guess it. Even if they do, the picture isn't of me.
My surname in FB is mangled precisely because of privacy issues.
Just tried it out on myself and it obligingly throws up my name and face. Mind you I don't look like that anymore, so nothing much revealed. But really : how juvenile are these people? There's no excuse for this sort of error. I'll give them 24 hrs to fix it and if not, I'm closing my account down - assuming I can find out how!
IT? I'm not sure they've heard of it.
You can now remove yourself. And you get an email confirming this and begging you to come back.....
They can beg all they like - I won't be back. Reading the posts below, it seems they deliberately want to make it easy to get in, even at the expense of security (do they know what that means?). Dorks.
I removed myself long ago (years) and they still have my full name, if not my old dp. I'm half tempted to sign up, change my name to "Bugger Off" and kill my account again.
Systematically go through ALL of your posts, then replace them one by one with rubbish. Nothing maliciouis, just rubbish. Rathern than delete them first, replace with rubbish, then leave them a few months to make sure fb doesn't resurrect zombies from your past. Rather than delete or close your account, change the contact information to some other dead-end mail address. Do that several times a year until whomever is buying YOUR information considers the "buy" worthless to them. If enough people do this, it'll force fb to come up with more algorithms to re-match information. Also, it'll probably poison the pool.
Unfortunately, for those who've posted 3,500+ articles, it'll take quite a long time, even at 10 notes or posts a day, to subvert/destroy the value in their profiles.
(This is the same idea i had since the early 90s with win 3.1: rather than delete files outright, change the contents and save as the new name. This should (theoretically) destroy the bits that were in the original file. But, later, better schemes arrived. However, in the case of fb, your data eviscirating plan is always at the mercy of fb being on the lookout. I've already noticed that going farther and farther back in ones own posts takes a bit of time. Either they've got super busy servers, or they've caught on and are making it too painful for profile subversion.)
Security conscious login systems won't even reveal whether an account exists if you don't provide the correct password, the standard response is something like "User name or password is invalid." Admittedly that is a little bit annoying, so they might be excused to doing away with that security measure. But to actually reveal information about that account is idiotic, and when they combine it with a system where something widely known like an email address functions as the user name, that pushes this into Epic Fail territory.
...it's not a bug, it's an undocumented 'feature'.
If you read the disclosure thread, it gets worse - it auto-corrects email addresses too so you only have to get the email address 'nearly' right and it'll turn over the real one. Works too, just tested it by adding an extra letter to my wife's login email address and specifying a completely incorrect the wrong password. Result? Corrected version of her email, full name and a really cute photo of our cat.
What next? "It looks like you made a slight misspelling in your password... but that's OK, we trust you!" ?!?!
Is this a new discovery? It would explain the two people with West African names who wanted to be Facebook friends with 4gnes Slapp3r..
AC for obvious reasons.
It's not a bug, it's by design. Shitty design, but design none-the-less
How many people actually use there real name on facebook?
Or the internet for that matter.
Why would you? It's bad enough in the real world without letting them get you in the cyber space.
call me tin foil Tracy but I still prefer to make up names on the spot. Facebook was no exception.
I use my real name on line all the time, on all systems(*) I'm registered on, and have done since the early '80s. It's who I am, why would I not? Security is not vested in false names.
(*) General systems, that is. There may or may not be one or two specific systems on which I really, really don't want to be identified where I might or might not use a pseudonym.
GJC
It's just taken a while for someone to notice...?
I saw this happening a couple of weeks ago, but thought nothing of it and assumed Facebook were happy with how things were. After all, most Facebook users aren't massively tech savvy and believe that the way Facebook has things set up benefits them wholeheartedly.
The security implications were immediately obvious and this feature is poorly designed. It seems to allow you to make minor mistakes in your e-mail address, and it auto-corrects for you?? I smell phish.
Ludicrous. I predict this being changed/patched within days given Facebook's already less than favourable public image.
oh dear me facebook is not having a good time even im registered on it i hope my email address isnt shown or in the hands of attackers there the biggest bunch of idiots that infect the internet today. hackers have nothing better to do there sad all i can say is facebook better get there act together fast
So was this a silent fix, or did Facebook document the bug and the dates it was extant for?
The best privacy policy is to assume that anything that you publish on Facebook is public. Get rid of the "privacy" settings and control your own information. None of these companies can be trusted to keep information hidden, so why try? I got a Facebook account to be more public. That was the whole point of social networking. If you want to keep information semi-private, while still risking information theft, get your own Website that you can control.
"The best privacy policy is to assume that anything that you publish on Facebook is public."
Exactly the way it is with Twitter. If you post something on Twitter, you should realise that it can be seen by ANYONE. That certainly tempers what I say on there.
It didn't stop Paul Chambers being shafted by the CPS at his #TwitterJokeTrial though.
Great: a “bug” on Facebook that compromises our privacy. Whoop tee doo...
Truth is, Facebook is far from motivated to protect users’ privacy. That’s because it generates revenue by studying the online activities of its members and selling this information to advertisers and marketers hoping, in turn, to sell those users something.
There is a new privacy- and security-based social-networking site on the way, however, where the user is in complete control of all private information. ZeldaB does not allow advertising nor does it monitor, capture or keep your information, so predators, spammers and window peepers are kept away with strong, built-in, 256-bit security that confirms the identities of each and every member.
Check it out at www.zeldab.com
This is pretty scary for me- I've done everything to keep my identity secret in the email address I use for facebook. Now anyone who wants to will be able to figure out my name, if they only know my email address "firstname@firstnamesurname.com".
Ok, try this example:
You have a Facebook account: you in good faith (don't laugh) place your real name and photo on the page and make them PRIVATE, but you use a fake name for your facebook alias, so that you can make anonymous comments online. You then go and write a long rant online using this alias name, about how much you hate George Bush, and what a bad criminal president he was etc etc.
Then this little facebook bug gets publicized, and your boss (who is just peachy for Bush) decides to find out who this infamous bush hater is, and wow now your fired. Sure its illegal to fire someone for that reason, but they don't have to tell you why.
Or say your not badmouthing, but just speaking up about how much you enjoyed a day related to a religious ceremony. A bug like this could be used to identify people of certain religions, races, beliefs etc. Once you know a name and face it is much easy to run smear campaigns, or simply eliminate and opposition (more importantly eliminate the vocal head of your opposition).
Just because you use your full name as your email address does not mean that other people do not, or have a valid reason too. Further when you sign up and use a service that purports to keep some of this information PRIVATE - you do not expect them to go out and serve it up to ANYONE who requests it anonymously online.
...is that _anyone_ can see your profile pic these days. To stop that I either have to make myself unsearchable, or not have a profile pic. Annoying.
You are searchable, but blow me down with a feather there might be two people in the world with the same name!
No really!!!!
So you put your town and your picture so people know who it is. They can find you.
If you don't want people to find you (who know you name, town and what you look like - obviously wierdos) then don't make it searchable.
Hell just don't have a facebook account, please.
So assuming they get my name right, few people do, they'll be presented with a picture of a fox licking a window, next to my email address...
/\ /\ /\ I'm not saying she's a fox, but I suspect she's licked a window or two...
Sign up, sign up for The Register's weekly IT security newsletter - click here
