| By Sarah Perez  A report on BBC's technology program, Click, has exposed yet another security flaw in Facebook - one that could comprise users' privacy. This particular hack involves using a Facebook application to steal a users personal information - and the information of all their friends - without the user's knowledge.
The hack exposed by the BBC involves an application that, once added by an unsuspecting user, sends the hacker all that person's personal details and those of their friends in a formatted list. The details sent include things like full name, hometown, date of birth, and employer. BBC reporter, Spencer Kelly, notes that while this information on its own isn't enough to steal someone's identity, it certainly would help.
It's possible for a malicious Facebook application, like the one used in the news story, to masquerade as a game or a quiz. And unlike protecting yourself from phishing emails, it's not simply good enough for you to "know better" yourself - if even one of your friends installs the app, your details get stolen too.
Despite the severity of this potential hack, stories like this one are old news in the realm of those who follow social network hacking trends.
For example, white hat hacker "theharmonyguy," wrote on his blog Social Hacking back in March about an app he submitted to social media instructor, Lee Aase's, $100 hacking challenge. His app, once installed, would grab any available information from a private Facebook group. The app didn't win the challenge, however, since it required action on the part of the user to be successful.
However, theharmonyguy points out that although Facebook has a Terms of Use that restricts applications from storing most user data, "there is not a practical way for Facebook to enforce or even completely audit this requirement." And since these applications are third party code, they are essentially running on the honor system.
Facebook, especially, has been plagued by security lapses as of late, with the AP reporting news about a security exploit that exposed private photos on the site back in March. However as one of our own commenters pointed out, this hack was known as early as February, it just took the AP's coverage to bring attention to the matter.
Then there was a story in January about Facebook app Secret Crush that downloaded and installed spyware to your computer. However, it's not just Facebook under the gun - back in November, TechCrunch reported on an OpenSocial hack, this one involving the RockYou and Plaxo.
Reading these types of stories remind us that our security on these networks are in the hands of unknown developers, not just the sites themselves - developers who may be more concerned with getting their apps completed and installed than they are with security.
Facebook's response to this latest BBC story is that they have "an entire investigations team that watches the site and removes content and third-party applications that violate Facebook's Terms of Use." However, they advise users to "employ the same precautions while downloading software from Facebook applications that they use when downloading software on their desktop."
In other words, your security is left to the tech-savviness of you and your friends. (Considering my years in I.T./end user support, that's a frightening concept. Many users aren't smart, savvy, or careful when online.)
Even worse, if you do become a victim of an attack, good luck getting support from Facebook on dealing with it. As Lauren Cooney reports after her account was compromised to send out spam, she emailed the Facebook team several times, and spent the better part of an hour trying to track down a customer service number to no avail, noting "you would think that a company that collects that much data on their users would consider having a customer service number." In the end, it was nine hours before she received an email response.
What this means for the average social networker is that we need to be very careful on these networks, and should not entirely rely on them to keep us safe. If there's really a photo you don't want certain people to see, maybe it's best to keep it offline forever. We also need to be vigilante about the applications we install, on Facebook and elsewhere, and take the time to educate our friends to do the same.
  
 | 
No comments:
Post a Comment