back to article Facebook caught exposing millions of user credentials

Facebook has leaked access to millions of users' photographs, profiles and other personal information because of a years-old bug that overrides individual privacy settings, researchers from Symantec said. The flaw, which the researchers estimate has affected hundreds of thousands of applications, exposed user access tokens to …

COMMENTS

This topic is closed for new posts.
  1. Adam T
    FAIL

    “We never share your personal information with our advertisers.”

    Indeedy; by the sounds of it, they could just help themselves!

    1. Anonymous Coward
      Pirate

      Ah

      "bug that overrides individual privacy settings"

      That old chestnut.

      1. Gav
        Black Helicopters

        there's always a back door

        That's no bug.. it's an undocumented feature.

  2. Studley
    Big Brother

    "Readers who want to err on the side of security"

    ...are probably better off without a Facebook account, to be frank.

    1. Elmer Phud
      Alert

      Blah Blah

      User details depend on how much info the users put in.

      If they are stupid enough to record thier entire life story complete with photo's, links to all the family and a 'stream of conciousness' habit of posting then, yes, they may well deserved to get pwnd. But the rest of us know about Facebook so have a stripped-down profile or a totally bogus one.

  3. Anonymous Coward
    WTF?

    ruh-ro

    Anyone else seeing:

    Password change not successful.

    Your old password was incorrectly typed.

    I *know* I typed it in properly...

    1. Anonymous Coward
      Joke

      TURN CAPS LOCK OFF.

      *ec hem* Turn Caps Lock off.

    2. This post has been deleted by its author

    3. dssf

      I've been suspecting that it is a hijacker's overlay...

      I think it is probably some botched government backdoor layer.

      Whatever it is, though, bypass it by first logging in to:

      mfacebook dot com

      rather than dub dub dub dot facebook dot com.

      From there, scroll to the screen bottom and click on "Desktop". Depending on the buggered implementation, you may have to take an intervening detour to "Touch", and then click on "Desktop" to log in.

      What is REALLY bizarre, and makes me want to behead whomever is behind this is that THREE TIMES this morning my wall was particularly stripped of this:

      "Change your password. During that process, fb automatically logs out any concurrent fb sessions/logins you have. Also, in the privacy settings and security settings, tell fb to notify you when your account is logged in to. And, enable the feature that requires a code when logging in. This means you will receive some kind of 5 or 6 digit number (via hand phone) which you must enter into the browser for the login to actually happen."

      Each time since 7AM, that advice on my private wall was removed. No warning, no explanation, no TOS indications, no nothing. Just vanishes.

  4. TheRealRoland
    Unhappy

    Aaah... those were the days

    Sounds like more and more there's a price to pay for us to be online all the time, to see and be seen.

    You want to share info, but don't want to be tracked that you shared. Having fun over the weekend, your boss might know immediately the minute after you post that one really funny photo. want to conveniently manage your bank accounts, password vaults, forum posts... And it becomes a chore keeping track of all those usernames and passwords... So why not use one password

    And then those functionalities that are imposed on you because 'it makes managing your account so much easier'. All these layers of stuff where things can (and will) go wrong.

  5. Alan B
    FAIL

    Facebook apps?

    This is simply another reason not to use any Facebook apps. I use Facebook to keep in touch with friends and family many miles away, but I would never consider using any of the apps.

    1. Elmer Phud

      FB apps

      You can look at the apps and see how they behave, what they do or don't send out.

      I've binned any that want to spew out my details, my 'friends' details and the rest.

      I'm left with not very many at all - suits me.

  6. Jean-Luc
    Black Helicopters

    Trust folks as little as you HAVE to and no more.

    My profile really holds my email, not much else. Certainly no address or real birthdate. As applications have often been mentioned in the context of rather generous data access rights, I pretty much have no applications allowed.

    Not being on FB is a choice. Being on FB and trusting it very little is another.

    1. Maverick
      Happy

      one comment

      FB Purity FTW

    2. Anonymous Coward
      Unhappy

      Your Friends list is also valuable information

      I take this sort of approach too (except I allow no apps at all and deny all of them data). I have very little data that isn't otherwise public EXCEPT a significant list of friends and contacts.

      Of course Facebook also knows exactly who you used to be friends with and who you ignore too which could in itself be valuable/dangerous information.

  7. Mike 140
    Big Brother

    Also, amazing news about bears and woods.

    I'm shocked, shocked to find that leaking is going on here.

  8. Destroy All Monsters Silver badge
    Pint

    New legislation proposed!

    Online providers to be listed on a leakage opt-out list. Film at 11.

  9. heyrick Silver badge

    Very interesting...

    ...that token thing. I have a minimal Facebook account (which refused to accept "Earth" as my location <sulk>) because some people from work expected me to have one. Over the months, I've watched a boss rack up an impressive score on some game that involves dropping marbles, and I've not been able to look at her without giggling to myself.

    But on a more serious note, most of these app updates could be silenced, but I've noticed a few that are posted as if by the user. I can't elect to *not* see this crap without blocking the entire person's profile. I wonder if this is related to the leaked-token thing, for surely app-spam would be posted as such?

    [it's not that big a deal, I tend to only bother looking when my sacrificial email says Facebook sent me some notification or other... useful for remembering people's birthdays]

    1. Jean-Luc
      Happy

      Pretty sure you can hide things.

      Up to the upper right corner of posts, there is an invisible "Hide" that shows up if your mouse rollovers. On an app, I believe it can hide all Posts by that App.

      I believe that's how I got rid of a buddy's Mafia Wars Post-Diarrhea.

      1. Byte
        Black Helicopters

        Re: Pretty sure you can hide things

        You can't hide some of them without hiding everything from that user - when you roll over to show the X and click it, it only offers to hide posts fromt he person, not the app. From what I can tell, those apps are posting as the actual user somehow, instead of posting to the user's wall...

  10. JeffyPooh
    Pint

    "Facebook has leaked..."

    Redundant. "Facebook..." There, I fixed it for you.

  11. Deadly_NZ
    Thumb Down

    Face Book???

    More like FARCE BOOK.

  12. Mutton King

    Boss?

    Who "friends" their boss??? That one will lick the back of your leg for a while before biting you on the arse....

    1. SuperTim

      *boss

      The point of the post was that this user clearly felt that the boss wanted to have him on there to "keep an eye on him". This is increasingly common but is only a problem if you actually *use* facebook. I am in a similar boat (my wife made me have an account), but have no pictures on FB and only use it to generally have a presence.

      1. The Alpha Klutz

        the boss wanted to have him on there to "keep an eye on him"

        What if the boss asks to put spy cameras in your house and watch you taking a shit so that he knows you're eating enough fibre? Fair enough, right? I mean he can't be putting up with unhealthy staff now can he.

        "This is increasingly common"

        I should hope not. Any boss who asks me to tolerate such a thing would get the response they deserve.

    2. Anonymous Coward
      Happy

      Boss!

      Someone who's Boss is a 28yr old leggy blonde who consistantly Facebooks her out of office exploits with her ladette single pals.

      Licking the leg and kicking the arse goes both ways :)

  13. FozzyBear
    Alert

    FacePalm Strikes Again

    If you also had a PS3 account you're having a real bad month online

  14. Anonymous Coward
    FAIL

    Facebook Security

    Oxymoron of the century.

  15. Da Weezil
    Big Brother

    Expectations

    I dont care who "expects" me to have a facepalm account it aint gonna happen... and thats MY decision to make as an individual, Im not going to be pressured by the sheeple who follow a crowd

    I'm amused by how many have one because its "expected" or because "everyone else has one".

    1. Fred Flintstone Gold badge
      Big Brother

      you have another risk then..

      Someone who doesn't like you can then set up a profile in your name, maybe grab pictures from you from somewhere and then start posting really *interesting* stuff. If they have enough data about you you'll have a fun time proving it's not you..

      1. Carol Orlowski
        Big Brother

        Sign up to my service or I'll joe-job you?

        There are 3 reasons why this fails to convince me:

        a) it is not special to FB. By this argument, I could be forced to sign up to every service in the world immediately it comes on line;

        b) Actually, it is particularly weak for FB. If I don't have a FB account, there is a pretty good chance that my friends know that I have made a definite decision not to get one (and perhaps are even tired of hearing my rants about it), and so will realise instantly that it is a joe-job; and

        c) since I have never agreed to anything with FB, their user policies are irrelevent to me. When I advise them that are libelling me, their only safe response is the same as any other content distributor: remove the content "expeditiously" and replace it with a retraction and apology. If they do not, I will nail them to the wall, and their lawyers will advise them that my chances of winning are around 97%.

        Additionally, in some jurisdictions, using an electronic forum for joe-jobbing may fall under new "cyber-bullying" laws, particularly if sexual insinuations are made. In that case, it's not just libel (a civil offence), it's a criminal offence, and FB is going to help the police find the offender. Possibly the offender may be smart enought o hide his tracks, but so the cops seem to have a pretty high success rate finding them.

  16. JaitcH
    FAIL

    Readers who aren't sure if they're affected might want to err on the side of security ...

    Being on FB endangers:

    - Your job prospects

    - Mortgage potential

    - Even, especially for Koreans, prospective wives

    - Police interviewees for people associated with criminals

  17. Anonymous Coward
    Anonymous Coward

    The title is required, and must contain letters and/or digits.

    Surely it doesn't matter.

    I mean, no one in their right mind is going to post sensitive and confidential information on a social networking website, are they?

  18. Anonymous Coward
    Anonymous Coward

    Is it good enough...

    to change your password and then change it back again?

  19. mraak

    HSBC

    Screwing me by dropping interest rates, they charge £75 to enable debit on the card. Mutual funds went down. Government increases VAT. Sony stores my password unencrypted and gets hacked. All SaaS is in "beta", how my data is future proof and secure is unknown. Oracle buys Sun and starts charging for MySQL. Mortgages are screwed.

    Now Facebook, what's next? Where can I hide?

    1. Anonymous Coward
      Linux

      MySQL still free.

      Oracle is not charging for MySQL -- at least not yet. They agreed to continue supporting GPL releases until at least 2015.

      In the meantime, the free software movement -- with the support of Monty Widenius, the original author -- has forked a GPL-only version called MariaDB. The intent is to continuously maintain MariaDB as binary compatible with MySQL, so that if Oracle's plan was to pull the GPL licensing in 2015 in order to kill off a competitor, then they just wasted one ... billion ... dollars. BWA HA HA HA!

  20. sisk
    Black Helicopters

    What, again?

    I've got this one figured out. Facebook is working on making the leakage of Facebook user details so routine that it's not news anymore. Then no one will ever know when they sell user details. It's all part of thier diabolical scheme to take over the world. BWAHAHAHAHA!

  21. Richard Porter
    FAIL

    Any company ...

    that sends me "targeted" ads is likely to exclude itself from my purchasing decisions.

    Anyway if an app asks for access to my profile (such as it is) I don't go any further with it.

  22. dssf

    Friending but Starving a facebook Contact? How to do?

    Does facebook allow users to selectively deprive a given "friend" of information we share with others? It may seem pointless, but as long as a "friend" has limited known contact with our friends (in other words, we on facebook appear to not have common friends as far as facebook displays), we may want to deprive or starve someone rather than outright drop someone.

    i cannot find such a facility in fb. Does anyone know if it is possible?

This topic is closed for new posts.

Other stories you might like