News: Identity 'at risk' on Facebook

Westcountryman · 01-05-2008, 05:29 AM

Identity 'at risk' on Facebook

By Spencer Kelly
Presenter, BBC Click

Personal details of Facebook users could potentially be stolen, the BBC technology programme Click has found.

The popular social networking site allows users to add a variety of applications to their profile.

But a malicious program, masquerading as a harmless application, could potentially harvest personal data.

Facebook says users should exercise caution when adding applications. Any programs which violate their terms will be removed, the network said.

Stealing details

Facebook is the darling of the moment, allowing friends to stay in touch, post photos, and share fun little games and quizzes. And it also lets you keep your details private from the rest of the world. Or at least that is the implication.

We have discovered a way to steal the personal details of you and all your Facebook friends without you knowing.

We made up the fictitious profile of Bob Smith. He keeps most of his details on his profile private from non-friends.

While we could not get all details, what we did get, included his name, hometown, school, interests and photograph, would certainly help us to steal someone's identity.

Mining data

So how did we do it?

Using a couple of laptops and our resident coder Pete, we created a special application for Facebookers to add.

One of the reasons Facebook has become so popular so quickly is because of the wealth of applications users can add to their profile pages.

Little games, quizzes, IQ tests, there are thousands of them available. And once you have added an application, your friends are encouraged to add it too.

Anyone with a basic understanding of web programming can write an application.

We wrote an evil data mining application called Miner, which, if we wanted, could masquerade as a game, a test, or a joke of the day. It took us less than three hours.

But whatever it looks like, in the background, it is collecting personal details, and those of the users' friends, and e-mailing them out of Facebook, to our inbox.

When you add an application, unless you say otherwise, it is given access to most of the information in your profile. That includes information you have on your friends even if they think they have tight security settings.

Did you know that you were responsible for other people's security?

Security

Now, many applications do need access to your details, in order to work properly.

We do not know of any specific application which abuses user information, apart from ours.

But the ease with we created our application has many people worried. If it is being used you would not even have to use the application we created to become a victim, you would just have to be a friend of someone who has.

Because these applications run on third-party servers, not run by Facebook - it is difficult for the company to check what is going on, whether anything has changed, and how long applications store data for and what they do with it.

Although Facebook's terms and conditions contain a warning that this could in theory happen, and offer the option to stop an application from accessing your details, many games and quizzes would not work if this option is engaged.

In fact, the only way we can see of completely protecting yourself from applications skimming information about you and your friends is to erase all the applications on your profile and opt to not use any applications in the future.

So has Facebook done enough to protect its users from identity theft?

Paul Docherty is the Technical Director of Portcullis Security, which advises several governments on IT security matters including British government.

He told us he believed that Facebook's terms and conditions stated on the site meant that Facebook had legally covered itself from any liability.

But he added: "Morally, Facebook has acted naively."
He said: "Facebook needs to change its default settings and tighten up security

He also believes it would be difficult to secure the current system because so many third party applications are now in circulation.

Removal team

We put these concerns to Facebook.

It told us that it has an entire investigations team watching the site, and removing applications that violate its terms of use which would include our Miner application.

It also advises users to use the same precautions while downloading software from Facebook applications that they use when downloading software on their desktop. Now, all this comes in the month that competitor MySpace opened up its application platform. However, it handles them differently - here all applications run on its own servers so it can see what they are up to.

MySpace also manually checks all submissions and rechecks them if authors wish to change the code. We were unable to create a similar threat to users' security using the MySpace system.

It certainly seems that Facebook's standard security settings are not sufficient to protect your personal information, and those of your friends.

You can watch the full report on Click's website on Thursday, 1 May, 2008 from 2100 BST

BBC NEWS | Programmes | Click | Identity 'at risk' on Facebook

BBC NEWS | Programmes | Click | Click's Facebook security advice

__________________________________________________ _____

Highlights that web security is more important than ever. Be careful folks.

Alex McKee · 01-05-2008, 11:48 AM

Hardly a surprise. Now perhaps people will understand why I don't add all the apps I'm sent.

Westcountryman · 01-05-2008, 12:49 PM

Quote:

Originally Posted by Alex McKee

Hardly a surprise. Now perhaps people will understand why I don't add all the apps I'm sent.

Indeed. My privacy controls on Facebook are quite strict anyway, but I've also slimmed down on the number of applications on my profile.

John Connor · 01-05-2008, 12:58 PM

News just in: Actually having an account on Facebook can seriously damage your rock and roll cred.

Hartlepool · 01-05-2008, 01:10 PM

Quote:

Originally Posted by John Connor

News just in: Actually having an account on Facebook can seriously damage your rock and roll cred.

Thats it then,I'm not joining up.

I do have a reputation to think of after all.

Westcountryman · 01-05-2008, 01:16 PM

Quote:

Originally Posted by John Connor

News just in: Actually having an account on Facebook can seriously damage your rock and roll cred.

I dbout I had any to begin with.

ChrisB · 02-05-2008, 09:11 AM

Quote:

Originally Posted by Alex McKee

Hardly a surprise. Now perhaps people will understand why I don't add all the apps I'm sent.

You don't have to. You just have to have a friend that does:

Quote:

But the ease with we created our application has many people worried. If it is being used you would not even have to use the application we created to become a victim, you would just have to be a friend of someone who has.

Moral of the story: Don't have install-happy friends?

01-05-2008, 05:29 AM	#1 (permalink)
Westcountryman Uber Member Join Date: Dec 2005 Location: The Westcountry. Posts: 5,922 Party: None	Identity 'at risk' on Facebook Identity 'at risk' on Facebook By Spencer Kelly Presenter, BBC Click Personal details of Facebook users could potentially be stolen, the BBC technology programme Click has found. The popular social networking site allows users to add a variety of applications to their profile. But a malicious program, masquerading as a harmless application, could potentially harvest personal data. Facebook says users should exercise caution when adding applications. Any programs which violate their terms will be removed, the network said. Stealing details Facebook is the darling of the moment, allowing friends to stay in touch, post photos, and share fun little games and quizzes. And it also lets you keep your details private from the rest of the world. Or at least that is the implication. We have discovered a way to steal the personal details of you and all your Facebook friends without you knowing. We made up the fictitious profile of Bob Smith. He keeps most of his details on his profile private from non-friends. While we could not get all details, what we did get, included his name, hometown, school, interests and photograph, would certainly help us to steal someone's identity. Mining data So how did we do it? Using a couple of laptops and our resident coder Pete, we created a special application for Facebookers to add. One of the reasons Facebook has become so popular so quickly is because of the wealth of applications users can add to their profile pages. Little games, quizzes, IQ tests, there are thousands of them available. And once you have added an application, your friends are encouraged to add it too. Anyone with a basic understanding of web programming can write an application. We wrote an evil data mining application called Miner, which, if we wanted, could masquerade as a game, a test, or a joke of the day. It took us less than three hours. But whatever it looks like, in the background, it is collecting personal details, and those of the users' friends, and e-mailing them out of Facebook, to our inbox. When you add an application, unless you say otherwise, it is given access to most of the information in your profile. That includes information you have on your friends even if they think they have tight security settings. Did you know that you were responsible for other people's security? Security Now, many applications do need access to your details, in order to work properly. We do not know of any specific application which abuses user information, apart from ours. But the ease with we created our application has many people worried. If it is being used you would not even have to use the application we created to become a victim, you would just have to be a friend of someone who has. Because these applications run on third-party servers, not run by Facebook - it is difficult for the company to check what is going on, whether anything has changed, and how long applications store data for and what they do with it. Although Facebook's terms and conditions contain a warning that this could in theory happen, and offer the option to stop an application from accessing your details, many games and quizzes would not work if this option is engaged. In fact, the only way we can see of completely protecting yourself from applications skimming information about you and your friends is to erase all the applications on your profile and opt to not use any applications in the future. So has Facebook done enough to protect its users from identity theft? Paul Docherty is the Technical Director of Portcullis Security, which advises several governments on IT security matters including British government. He told us he believed that Facebook's terms and conditions stated on the site meant that Facebook had legally covered itself from any liability. But he added: "Morally, Facebook has acted naively." He said: "Facebook needs to change its default settings and tighten up security He also believes it would be difficult to secure the current system because so many third party applications are now in circulation. Removal team We put these concerns to Facebook. It told us that it has an entire investigations team watching the site, and removing applications that violate its terms of use which would include our Miner application. It also advises users to use the same precautions while downloading software from Facebook applications that they use when downloading software on their desktop. Now, all this comes in the month that competitor MySpace opened up its application platform. However, it handles them differently - here all applications run on its own servers so it can see what they are up to. MySpace also manually checks all submissions and rechecks them if authors wish to change the code. We were unable to create a similar threat to users' security using the MySpace system. It certainly seems that Facebook's standard security settings are not sufficient to protect your personal information, and those of your friends. You can watch the full report on Click's website on Thursday, 1 May, 2008 from 2100 BST BBC NEWS \| Programmes \| Click \| Identity 'at risk' on Facebook BBC NEWS \| Programmes \| Click \| Click's Facebook security advice __________________________________________________ _____ Highlights that web security is more important than ever. Be careful folks. __________________ Manus haec inimica tyrannis ense petit placidam sub libertate quietam - "This hand of mine, which is hostile to tyrants, seeks by the sword quiet peace under liberty." Last edited by Westcountryman; 01-05-2008 at 05:33 AM.

01-05-2008, 11:48 AM	#2 (permalink)
Alex McKee Moderator Join Date: Apr 2005 Location: Gloucester Posts: 6,666	Hardly a surprise. Now perhaps people will understand why I don't add all the apps I'm sent. __________________ Anything I post on this web forum is my personal opinion only. Users on Ignore list: None.

01-05-2008, 12:58 PM	#4 (permalink)
John Connor Senior Member Join Date: Jan 2008 Location: Hard Working Families' Socialist Republic of Untied Kingdomistan Posts: 1,038 Party: None	News just in: Actually having an account on Facebook can seriously damage your rock and roll cred. __________________ There are three types of people in this world: Libertarians, fascists and those who haven't been paying attention. Users on ignore list: Akria, Besoeker, Clippo, david H, Ian C.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode