Video: Major Facebook security hole lets you view your friends’ live chats (Update 1)
May 5, 2010 by Dissent
Steve O’Hear writes:
You’ve got to hand it to Facebook. They certainly know how to do security — not.
Today I was tipped off that there is a major security flaw in the social networking site that, with just a few mouse clicks, enables any user to view the live chats of their ‘friends’. Using what sounds like a simple trick, a user can also access their friends’ latest pending friend-requests and which friends they share in common. That’s a lot of potentially sensitive information.
The irony is that the exploit is enabled by they way that Facebook lets you preview your own privacy settings. In other words, a privacy feature contains a flaw that lets others view private information if they are aware of the exploit.
Read more on TechCrunch, where Steve posted the following video showing the exploit in action:
[The video on Youtube: http://www.youtube.com/watch?v=ny8ui4delEo&feature=player_embedded
Hat-tip, Rick Forno, who notes that FB chat has been unavailable all morning..
Update: Steve got a response from Facebook hours later that said, in part:
For a limited period of time, a bug permitted some users’ chat messages and pending friend requests to be made visible to their friends by manipulating the ‘preview my profile’ feature of Facebook privacy settings,” Facebook said in a statement.
How limited was the period of time, Facebook? And maybe, as the journalists’ group in the UK asked, you might do a better job of testing things before you release them?
(Related) Even The Atlantic finds this noteworthy.
Facebook Suffers Yet Another Privacy Glitch
Dilbert on: Reading employee email.
Users are Their Own Worst Enemy for Online Privacy
Here are some of the key findings of the Consumer Reports survey:
• A projected 1.7 million online households had experienced online identity theft in the past year.
• An estimated 5.4 million online consumers submitted personal information to e-mail (phishing) scammers during the past two years.
• Among adult social network users, 38 percent had posted their full birth date, including year. Forty-five percent of those with children had posted their children's photos. And 8% had posted their own street address.
• An estimated 5.1 million online households had experienced some type of abuse on a social network in the past year, including malware infections, scams, and harassment.
Include the draft bill.
Draft Of Privacy Bill Introduced... And Pretty Much Everyone Hates It
...and I have the right to laugh at them.
Teenager's trouser ban 'breaches human rights'
The government will have to get into this business with a lower cost option. “You can hide your identity online as long as we know who you are offline.”
Hot Sales In China For Wi-Fi Key-Cracking Kits
Posted by timothy on Wednesday May 05, @06:19PM
"Dodgy salesmen in China are making money from long-known weaknesses in a Wi-Fi encryption standard, by selling network key-cracking kits for the average user. Wi-Fi USB adapters bundled with a Linux operating system, key-breaking software, and a detailed instruction book are being sold online and at China's bustling electronics bazaars. The kits, pitched as a way for users to surf the Web for free, have drawn enough buyers and attention that one Chinese auction site, Taobao.com, had to ban their sale last year. With one of the 'network-scrounging cards,' or 'ceng wang ka' in Chinese, a user with little technical knowledge can easily steal passwords to get online via Wi-Fi networks owned by other people. The kits are also cheap. A merchant in a Beijing bazaar sold one for 165 yuan ($24), a price that included setup help from a man at the other end of the sprawling, multistory building."
For many of my Security classes...
Google Releases a Web-App Case Study For Hackers
Posted by timothy on Wednesday May 05, @04:49PM
Hugh Pickens writes
"The San Francisco Chronicle reports that Google has released Jarlsberg, a 'small, cheesy' web application specifically designed to be full of bugs and security flaws as a security tutorial for coders, and encourages programmers to try their hands at exploiting weaknesses in Jarlsberg as a way of teaching them how to avoid similar vulnerabilities in their own code. Jarlsberg has multiple security bugs ranging from cross-site scripting and cross-site request forgery, to information disclosure, denial of service, and remote code execution. The codelab is organized by types of vulnerabilities."
"In black box hacking, users try to find security bugs by experimenting with the application and manipulating input fields and URL parameters, trying to cause application errors, and looking at the HTTP requests and responses to guess server behavior while in white-box hacking, users have access to the source code and can use automated or manual analysis to identify bugs. The tutorial notes that accessing or attacking a computer system without authorization is illegal in many jurisdictions but while doing this codelab, users are specifically granted authorization to attack the Jarlsberg application as directed."
On my summer reading list..
The Age Of Facebook: Excerpts From The New Book By David Kirkpatrick
Tools for ebook users
Convert eBook formats at Zamzar – free and online