back to article Facebook caught exposing millions of user credentials

Facebook has leaked access to millions of users' photographs, profiles and other personal information because of a years-old bug that overrides individual privacy settings, researchers from Symantec said. The flaw, which the researchers estimate has affected hundreds of thousands of applications, exposed user access tokens to …

COMMENTS

This topic is closed for new posts.
FAIL

“We never share your personal information with our advertisers.”

Indeedy; by the sounds of it, they could just help themselves!

12
0
Pirate

Ah

"bug that overrides individual privacy settings"

That old chestnut.

1
0
Gav
Black Helicopters

there's always a back door

That's no bug.. it's an undocumented feature.

0
0
Big Brother

"Readers who want to err on the side of security"

...are probably better off without a Facebook account, to be frank.

14
0
Silver badge
Alert

Blah Blah

User details depend on how much info the users put in.

If they are stupid enough to record thier entire life story complete with photo's, links to all the family and a 'stream of conciousness' habit of posting then, yes, they may well deserved to get pwnd. But the rest of us know about Facebook so have a stripped-down profile or a totally bogus one.

3
2
WTF?

ruh-ro

Anyone else seeing:

Password change not successful.

Your old password was incorrectly typed.

I *know* I typed it in properly...

0
0

This post has been deleted by its author

Joke

TURN CAPS LOCK OFF.

*ec hem* Turn Caps Lock off.

0
0
Bronze badge

I've been suspecting that it is a hijacker's overlay...

I think it is probably some botched government backdoor layer.

Whatever it is, though, bypass it by first logging in to:

mfacebook dot com

rather than dub dub dub dot facebook dot com.

From there, scroll to the screen bottom and click on "Desktop". Depending on the buggered implementation, you may have to take an intervening detour to "Touch", and then click on "Desktop" to log in.

What is REALLY bizarre, and makes me want to behead whomever is behind this is that THREE TIMES this morning my wall was particularly stripped of this:

"Change your password. During that process, fb automatically logs out any concurrent fb sessions/logins you have. Also, in the privacy settings and security settings, tell fb to notify you when your account is logged in to. And, enable the feature that requires a code when logging in. This means you will receive some kind of 5 or 6 digit number (via hand phone) which you must enter into the browser for the login to actually happen."

Each time since 7AM, that advice on my private wall was removed. No warning, no explanation, no TOS indications, no nothing. Just vanishes.

0
0
Unhappy

Aaah... those were the days

Sounds like more and more there's a price to pay for us to be online all the time, to see and be seen.

You want to share info, but don't want to be tracked that you shared. Having fun over the weekend, your boss might know immediately the minute after you post that one really funny photo. want to conveniently manage your bank accounts, password vaults, forum posts... And it becomes a chore keeping track of all those usernames and passwords... So why not use one password

And then those functionalities that are imposed on you because 'it makes managing your account so much easier'. All these layers of stuff where things can (and will) go wrong.

0
0
FAIL

Facebook apps?

This is simply another reason not to use any Facebook apps. I use Facebook to keep in touch with friends and family many miles away, but I would never consider using any of the apps.

7
0
Silver badge

FB apps

You can look at the apps and see how they behave, what they do or don't send out.

I've binned any that want to spew out my details, my 'friends' details and the rest.

I'm left with not very many at all - suits me.

0
0
Bronze badge
Black Helicopters

Trust folks as little as you HAVE to and no more.

My profile really holds my email, not much else. Certainly no address or real birthdate. As applications have often been mentioned in the context of rather generous data access rights, I pretty much have no applications allowed.

Not being on FB is a choice. Being on FB and trusting it very little is another.

2
0
Happy

one comment

FB Purity FTW

0
0
Unhappy

Your Friends list is also valuable information

I take this sort of approach too (except I allow no apps at all and deny all of them data). I have very little data that isn't otherwise public EXCEPT a significant list of friends and contacts.

Of course Facebook also knows exactly who you used to be friends with and who you ignore too which could in itself be valuable/dangerous information.

0
0
Big Brother

Also, amazing news about bears and woods.

I'm shocked, shocked to find that leaking is going on here.

1
0
Silver badge
Pint

New legislation proposed!

Online providers to be listed on a leakage opt-out list. Film at 11.

0
0
Silver badge

Very interesting...

...that token thing. I have a minimal Facebook account (which refused to accept "Earth" as my location <sulk>) because some people from work expected me to have one. Over the months, I've watched a boss rack up an impressive score on some game that involves dropping marbles, and I've not been able to look at her without giggling to myself.

But on a more serious note, most of these app updates could be silenced, but I've noticed a few that are posted as if by the user. I can't elect to *not* see this crap without blocking the entire person's profile. I wonder if this is related to the leaked-token thing, for surely app-spam would be posted as such?

[it's not that big a deal, I tend to only bother looking when my sacrificial email says Facebook sent me some notification or other... useful for remembering people's birthdays]

1
0
Bronze badge
Happy

Pretty sure you can hide things.

Up to the upper right corner of posts, there is an invisible "Hide" that shows up if your mouse rollovers. On an app, I believe it can hide all Posts by that App.

I believe that's how I got rid of a buddy's Mafia Wars Post-Diarrhea.

0
0
Black Helicopters

Re: Pretty sure you can hide things

You can't hide some of them without hiding everything from that user - when you roll over to show the X and click it, it only offers to hide posts fromt he person, not the app. From what I can tell, those apps are posting as the actual user somehow, instead of posting to the user's wall...

0
0
Silver badge
Pint

"Facebook has leaked..."

Redundant. "Facebook..." There, I fixed it for you.

0
0
Thumb Down

Face Book???

More like FARCE BOOK.

0
0

Boss?

Who "friends" their boss??? That one will lick the back of your leg for a while before biting you on the arse....

0
0

*boss

The point of the post was that this user clearly felt that the boss wanted to have him on there to "keep an eye on him". This is increasingly common but is only a problem if you actually *use* facebook. I am in a similar boat (my wife made me have an account), but have no pictures on FB and only use it to generally have a presence.

0
0
Happy

Boss!

Someone who's Boss is a 28yr old leggy blonde who consistantly Facebooks her out of office exploits with her ladette single pals.

Licking the leg and kicking the arse goes both ways :)

2
0

the boss wanted to have him on there to "keep an eye on him"

What if the boss asks to put spy cameras in your house and watch you taking a shit so that he knows you're eating enough fibre? Fair enough, right? I mean he can't be putting up with unhealthy staff now can he.

"This is increasingly common"

I should hope not. Any boss who asks me to tolerate such a thing would get the response they deserve.

0
0
Alert

FacePalm Strikes Again

If you also had a PS3 account you're having a real bad month online

3
0
FAIL

Facebook Security

Oxymoron of the century.

0
0
Big Brother

Expectations

I dont care who "expects" me to have a facepalm account it aint gonna happen... and thats MY decision to make as an individual, Im not going to be pressured by the sheeple who follow a crowd

I'm amused by how many have one because its "expected" or because "everyone else has one".

0
0
Gold badge
Big Brother

you have another risk then..

Someone who doesn't like you can then set up a profile in your name, maybe grab pictures from you from somewhere and then start posting really *interesting* stuff. If they have enough data about you you'll have a fun time proving it's not you..

0
0
Big Brother

Sign up to my service or I'll joe-job you?

There are 3 reasons why this fails to convince me:

a) it is not special to FB. By this argument, I could be forced to sign up to every service in the world immediately it comes on line;

b) Actually, it is particularly weak for FB. If I don't have a FB account, there is a pretty good chance that my friends know that I have made a definite decision not to get one (and perhaps are even tired of hearing my rants about it), and so will realise instantly that it is a joe-job; and

c) since I have never agreed to anything with FB, their user policies are irrelevent to me. When I advise them that are libelling me, their only safe response is the same as any other content distributor: remove the content "expeditiously" and replace it with a retraction and apology. If they do not, I will nail them to the wall, and their lawyers will advise them that my chances of winning are around 97%.

Additionally, in some jurisdictions, using an electronic forum for joe-jobbing may fall under new "cyber-bullying" laws, particularly if sexual insinuations are made. In that case, it's not just libel (a civil offence), it's a criminal offence, and FB is going to help the police find the offender. Possibly the offender may be smart enought o hide his tracks, but so the cops seem to have a pretty high success rate finding them.

0
0
Silver badge
FAIL

Readers who aren't sure if they're affected might want to err on the side of security ...

Being on FB endangers:

- Your job prospects

- Mortgage potential

- Even, especially for Koreans, prospective wives

- Police interviewees for people associated with criminals

0
0
Anonymous Coward

The title is required, and must contain letters and/or digits.

Surely it doesn't matter.

I mean, no one in their right mind is going to post sensitive and confidential information on a social networking website, are they?

0
0
Anonymous Coward

Is it good enough...

to change your password and then change it back again?

0
0

HSBC

Screwing me by dropping interest rates, they charge £75 to enable debit on the card. Mutual funds went down. Government increases VAT. Sony stores my password unencrypted and gets hacked. All SaaS is in "beta", how my data is future proof and secure is unknown. Oracle buys Sun and starts charging for MySQL. Mortgages are screwed.

Now Facebook, what's next? Where can I hide?

0
0
Linux

MySQL still free.

Oracle is not charging for MySQL -- at least not yet. They agreed to continue supporting GPL releases until at least 2015.

In the meantime, the free software movement -- with the support of Monty Widenius, the original author -- has forked a GPL-only version called MariaDB. The intent is to continuously maintain MariaDB as binary compatible with MySQL, so that if Oracle's plan was to pull the GPL licensing in 2015 in order to kill off a competitor, then they just wasted one ... billion ... dollars. BWA HA HA HA!

0
0
Silver badge
Black Helicopters

What, again?

I've got this one figured out. Facebook is working on making the leakage of Facebook user details so routine that it's not news anymore. Then no one will ever know when they sell user details. It's all part of thier diabolical scheme to take over the world. BWAHAHAHAHA!

0
0
FAIL

Any company ...

that sends me "targeted" ads is likely to exclude itself from my purchasing decisions.

Anyway if an app asks for access to my profile (such as it is) I don't go any further with it.

0
0
Bronze badge

Friending but Starving a facebook Contact? How to do?

Does facebook allow users to selectively deprive a given "friend" of information we share with others? It may seem pointless, but as long as a "friend" has limited known contact with our friends (in other words, we on facebook appear to not have common friends as far as facebook displays), we may want to deprive or starve someone rather than outright drop someone.

i cannot find such a facility in fb. Does anyone know if it is possible?

0
0
This topic is closed for new posts.

Forums