Facebook bug lets users spy on their friends' private personal information

[Al-khiyal]

[Al-khiyal]

Major Facebook security hole lets you view your friends’ live chats

May 5, 2010 -- You’ve got to hand it to Facebook. They certainly know how to do security — not. Today I was tipped off that there is a major security flaw in the social networking site that, with just a few mouse clicks, enables any user to view the live chats of their ‘friends’. Using what sounds like a simple trick, a user can also access their friends’ latest pending friend-requests and which friends they share in common. That’s a lot of potentially sensitive information. Unbelievable I thought, until I just tested the exploit for myself. And guess what? It works.

The irony is that the exploit is enabled by they way that Facebook lets you preview your own privacy settings. In other words, a privacy feature contains a flaw that lets others view private information if they are aware of the exploit. I know Facebook wants us to share more information and open up, but I’m not sure that this is quite what they had in mind. Because this has major implications for user privacy we’ve informed Facebook about this exploit.

Here is the video of the exploit in action:

After a few hours Facebook sent us this statement:

“For a limited period of time, a bug permitted some users’ chat messages and pending friend requests to be made visible to their friends by manipulating the “preview my profile” feature of Facebook privacy settings. When we received reports of the problem, our engineers promptly diagnosed it and temporarily disabled the chat function. We also pushed out a fix to take care of the visible friend requests which is now complete. Chat will be turned back on across the site shortly. We worked quickly to resolve this matter, ensuring that once the bug was reported to us, a solution was quickly found and implemented.”

[Al-khiyal]

Le chat de Facebook interrompu à cause d'une faille de sécurité

Jeudi 6 Mai 2010 -- Une importante faille de sécurité a été repérée sur Facebook mercredi 5 mai, obligeant les administrateurs du réseau social à suspendre l'accès au "chat" en ligne. Comme le révèle le site Techcrunch, les utilisateurs du site ont pu, pendant plusieurs heures, avoir accès aux conversations tenues en direct par leurs contacts sur la messagerie instantanée et à d'autres informations privées les concernant. "Une faille de sécurité majeure qui permet à tout utilisateur de voir, en direct et en quelques clics, les 'chats' de ses amis Facebook", explique Steve O'Hear, journaliste high-tech à Techcrunch, qui a immédiatement alerté le site de cette anomalie inquiétante. En outre, il était possible d'accéder aux demandes d'ajouts d'amis de ses contacts et de voir le nombre d'amis en commun, "beaucoup d’informations sensibles". Cette faille de sécurité permet en effet d'accéder à plusieurs informations personnelles sur ses contacts. TechCrunch explique que ces manipulations étaient réalisables simplement en accédant aux paramètres de confidentialité de son propre compte Facebook, où l'on pouvait autoriser l'affichage des données personnelles de ses contacts.

La vidéo publiée par TechCrunch montre clairement la faille de sécurité :

Désactivation du chat

Mercredi après-midi, la fonction chat n'était plus disponible sur Facebook. Le réseau social a alors annoncé avoir "interrompu les chats dès que nous avons découvert le problème", ajoutant que l'équipe technique avait "trouvé une solution". Quelques heures plus tard, vers 19h GMT (21h à Paris), la messagerie instantanée était rétablie pour la plupart des utilisateurs de Facebook. Ce problème sur la confidentialité des échanges sur Facebook intervient alors que le site fait face à des critiques croissantes sur le respect de la vie privée de ses utilisateurs. Depuis le mois dernier, le réseau social a en effet mis en place une fonctionnalité permettant de commenter des pages internet de sites partenaires. Avec plus de 400 millions d'utilisateurs dans le monde, Facebook est de loin le plus grand réseau social sur internet.

[Al-khiyal]

Facebook bug lets users spy on their friends' private personal information

May 6, 2010 -- Facebook has been forced to fix a security flaw which allowed users to spy on all the people in their friends networks. It meant the social networking site’s privacy features – designed to protect its users – could be exploited using a simple trick. With a few taps on the mouse users could see their friends ‘live chats’ and who had requested to join their network, functions which are meant to be private. Facebook temporarily removed the chat facility while it fixed the fault yesterday. However the embarrassing technical glitch is another blow to its tarnished privacy reputation.

Steve O'Hear, from security blog TechCrunch, which first reported the bug, said: 'The irony is that the exploit is enabled by the way that Facebook lets you preview your own privacy settings. In other words, a privacy feature contains a flaw that lets others view private information if they are aware of the exploit. I know Facebook wants us to share more information and open up but I'm not sure that this is quite what they had in mind.'

IT experts have expressed concern at the security breach, which affected all 400million users of the world's number one internet social network. Security specialist Candid Wueest said: ‘For any organisation, whether you are a networking site or not, privacy breaches are worrying. Unfortunately, this isn’t the first privacy breach of its kind to plague a social networking site – other high-profile sites have also been affected with similar problems.’ A spokesman for Facebook said that it had never intended the ‘live chat’ facility to be seen by other users. ‘When we received reports of the problem, our engineers promptly diagnosed it and temporarily disabled the chat function,’ he said.

The latest row follows criticism from U.S legislators, who said Facebook was sacrificing their users privacy in their attempt to expand their network across the web. A new 'social plug-in' enables Facebook's users to share their interests in such products as clothes, movies and music on other websites. Senator Charles Schumer said the onus instead should be on Facebook to get users' explicit consent, a process known as 'opting in.' 'They have sort of assumed all their users want their information to be given far and wide, which is a false assumption,' Mr Schumer said.