Social Media Security Podcast 7 – New Facebook Privacy Settings, Twitter Lists, FTC and Bloggers

This is the 7th episode of the Social Media Security Podcast recorded December 21, 2009.  This episode was hosted by Scott Wright and Tom Eston.  Below are the show notes, links to articles and news mentioned in the podcast:

Please send any show feedback to feedback [aT] or comment below.  You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode.  You can also subscribe to the podcast in iTunes. Thanks for listening!

Months Later, Old Facebook Privacy Problems Remain

I’ve tried. I’ve tried to give Facebook the benefit of the doubt. I’ve tried to look at the positive aspects of their service. I’ve tried to bring attention to issues and wait for solutions. I’ve tried to provide solutions. But tonight, I’m ready to give up on Facebook. After all the privacy and security problems I’ve seen with the Facebook Platform, I have to conclude that you should consider every action you take and all the content you post on Facebook to be public. If that bothers you, stop using Facebook.

Some might contend that this is the Internet we’re talking about – it’s supposed to be public. Partially true, but many web sites provide services intended for private use. I can use the Internet to check my bank account balance, open a new credit card, and contact my doctor. None of those are public activities. While I’m not naive enough to think that any online activity can be considered 100% secure, I can accept services that provide a reasonable level of privacy and security.

At one time, Facebook fell into that category. I used it to communicate with friends about my life and their lives. I exchanged messages, photos, and ideas never intended for public consumption. All the while, I relied on Facebook’s legendary privacy controls to ensure my content reached its intended audience only. Originally, Facebook didn’t simply discourage you from public sharing – it wasn’t even possible. You could hardly even communicate with people who had not approved you accessing their profile.

Eventually, Facebook introduced the Facebook Platform and began shifting priorities. They faced controversies along the way, from deceptive ads to the failed Beacon program. Most recently, they rolled out new privacy settings which many have criticized. In the midst of all these stories, I’ve spent time sifting through both news reports and code to understand what exactly was happening with my data. This started as little more than a hobby, but eventually it became more serious as I made some disturbing discoveries.

One such discovery involved noticing that advertisements in applications were making requests to the Facebook API for user information. The ad network queries were broad in scope and used to target ads more effectively. I first wrote about problematic ads in June of 2008, but the first time I confirmed that ads were exploiting the Facebook API came in June of this year. I discovered that applications were leaking a “session secret” to ad networks, allowing the ads to hijack application credentials and access user data.

Once I understood the power of a session secret, I began exploiting previous cross-site scripting vulnerabilities I’d uncovered to access user information. One of these holes dated back to at least February 2008. This initial work eventually led to the Month of Facebook Bugs, which spanned September of this year. The project demonstrated XSS issues affecting over 9,700 Facebook applications, all of which could be exploited to access user information (FAXX hacks). The list included many top applications, including ones supposedly verified by Facebook.

I’ve seen Facebook claim that they monitor API requests to avoid rogue applications harvesting user data. But after watching ad networks make broad requests for weeks, I had trouble seeing how they were being proactive. Similarly, while Facebook worked to patch all of the holes I reported in September, they would often give developers my contact information for help with the issues, and were quite obviously not actively watching for XSS problems in applications.

But as I said, I’ve tried to give Facebook the benefit of the doubt. When it came to problematic advertisements, Facebook seemed to take some action, and more recently I’d thought the old problems were essentially gone. As for application security, some could argue that it’s not Facebook’s responsibility to monitor application issues. However, with the brand association of the Platform and application XSS holes exposing loads of user data, Facebook owes it to their users to prevent more FAXX hacks from appearing.

I give that lengthy recap to explain what I report next. On day 25 of the Month of Facebook Bugs, I posted a vulnerability in an application called Photos I Love. At the time, it had just over one million monthly active users. The hole remained live for about a week after I first reported it, but eventually it disappeared. Photos I Love now has more than 2.3 million monthly active users.

But it also still has some of the same ads I criticized back in June. The application loads advertisements from SocialCash, and while the ads do not display and profile pictures or names, the code for the ads does load most of the information in a user profile. This code is executed within the context of the page, so the data is not necessarily sent back to SocialCash, but a few bits are definitely sent back, and with a few code changes by SocialCash it could all be sent back. In fact, SocialCash does receive a session secret via referrer URIs, and I’ve repeatedly demonstrated that such a setup allows for the full range of session secret API requests.

Even worse, the application still loads an iframe for SocialReach, one of the first ad networks banned by Facebook. The SocialReach iframe doesn’t actually display any ads, but it does load code with a session secret that makes broad API requests to Facebook. Fortunately, these requests currently fail, likely due to a mishandling of the session secret, but once again, a few code changes by SocialReach would start the data flowing again. Finally, the session secret is also leaked to affiliate marketer Gratis Network via referrer URIs.

After these rather appalling discoveries, I poked around Photos I Love a little more, and within minutes found another cross-site scripting vulnerability that could be exploited to hijack application credentials and access user information. I’ve found several FAXX hacks in applications since September, and the Facebook Platform Policy Team even asked once if they could copy me on e-mails to developers so that I could confirm patches directly. I wrote this in reply:

I don’t mind you cc’ing me on e-mails to developers, but I couldn’t make any guarantees on how much time I’d be able to invest re-checking holes or helping developers out with details. I view these reports as a courtesy, and try to provide enough details for you to verify where the vulnerabilities occur. Again, I don’t mind helping and am not trying to hurt anyone, but I’m also doing all of this as volunteer work and have other projects that take priority. And while I don’t want to sound rude, if Facebook were really concerned about XSS holes in applications, why not look for them in-house? I think the Month of Facebook Bugs report demonstrated how common such issues are, and that was mostly from me spending a few hours poking around various popular apps.

Cross-site scripting issues are a problem in any application. But when they occur in a Facebook application, they compromise Facebook itself in a very real sense. Yet if the Month of Facebook Bugs is any indication, XSS is widespread on the Facebook Platform. And while I noted in September that applications may include vulnerabilities besides the ones I posted, this second hack of Photos I Love gives firsthand evidence.

All of these issues lead me to conclude that Facebook values public sharing and advertising dollars more than users who want to communicate more privately. The content you post and the actions you take on Facebook are at times more easily accessible to applications, advertisers, and injected code than to your own friends. Perhaps those who want to broadcast publicly or use free social games are fine with such an arrangement. But it’s certainly not the Facebook I signed up for.

Facebook StumbleUpon Digg Twitter Instapaper FriendFeed Delicious Google Bookmarks Share/Bookmark

Facebook Knows What You Did Last Summer

Pardon the creative title. In working on accessing Facebook photo albums lately, I noticed that one of the stories on Mark Zuckerberg’s privacy settings mentioned that he’d removed his events from his profile. After finding a way to view public photo albums, I wondered if I could find a way to pull up a user’s public events. That pursuit taught me a little more about Facebook’s privacy settings, and also raised another aspect of Facebook privacy I’d not previously considered.

At first, I followed the same approach as with photos – I tried to make special requests that imitate what happens when you click on a tab in a user’s profile. Doing so brought up no event information for Mark Zuckerberg, but did for a friend of a friend. It turned out this behavior could actually be controlled by a user’s privacy settings. However, the setting may not be where you’d expect – it’s on your application settings page. Facebook treats their events module as an application, and in the settings for the Events application is a field controlling who can see the application. Setting it to “Only Friends” blocks the trick I was using if you’re not the person’s friend; I’m guessing the same setting for the Photos application would block the bookmarklet I posted.

But while Events does appear in the application settings page, it’s not your average application. I knew that the Facebook API included commands for requesting event data. I loaded up Facebook’s API Test Console, set the method to events.get, and put in a user ID.

What came up surprised me – a complete record of practically every public event that user had been invited to. Note that this was not a friend of mine. I could easily filter by whether they had RSVP’d that they were attending the event.

The list only includes “open events,” (Update: “Closed” events are also visible, just not “secret” events) those that are publicly accessible. But the results reminded me of the controversy over Facebook’s original News Feed – while the feature didn’t expose any new data, it made it much easier to access. I’m guessing most Facebook users do not realize you can pull up a list of all the public events they’ve attended so easily.

Also, any application that a user authorizes also has access to secret events a user has been invited to, since the application operates on behalf of the user.

Seeing years of events come up when I put in my own Facebook ID was a wake-up call for me. I handle event requests routinely, but hadn’t really ever given thought to the fact that Facebook has stored all that information – and makes it accessible to others (for public events) and applications. It’s one more aspect of privacy that Facebook users may want to reconsider.

Facebook StumbleUpon Digg Twitter Instapaper FriendFeed Delicious Google Bookmarks Share/Bookmark

Easily View Hidden Facebook Photo Albums

In a previous post, I noted that Facebook had removed access to photo albums for any user not your friend. Soon after Facebook rolled out new privacy controls, some users noticed that they could view anyone’s photo albums marked visible to “everyone,” most notably a few from Facebook’s founder, Mark Zuckerberg. Soon after those reports, however, it appeared that the albums were no longer available, as “Photos” tabs disappeared from public profiles and visiting photos.php simply gave an error message.

But as I described, access had not been cut off – Facebook had simply made the albums harder to find. This practice, known as security through obscurity, can mislead users who think their hidden content is safe from prying eyes. To prove my point, I gave directions on how to load the public photo albums of any given Facebook user.

Those directions were a bit technical, however, and I wanted to make the point more obvious. After working through more Facebook code, I came up with a bookmarklet (a bit of JavaScript you can store as a bookmark in your browser) for viewing public photo albums. Bookmark this link, or copy the code below. (Tested in recent versions of Opera, Firefox, and Chrome.)

javascript:(function(){function y(){if(x.readyState==4){q=x.responseText.substring(9);p=eval(‘(‘+q+’)’);document.getElementById(‘tab_canvas’).innerHTML=p.payload.tab_content;}}x=window.XMLHttpRequest?new window.XMLHttpRequest:(window.ActiveXObject?new ActiveXObject(“MSXML2.XMLHTTP”):null);x.onreadystatechange=y;‘POST’,’’,true);x.send(‘id=’+ProfileURIController._profileId+’&v=photos&__a=1′);})()

Once you’ve saved the link, simply visit someone’s public Facebook profile, then load the bookmarklet. It will replace the body of the user’s profile with a list of links to public albums, if any are available. The results are not formatted well, and only include the first page of albums, but the code works enough to at least demonstrate that public albums are not as well-hidden as you might expect.

I’ve browsed through some random profiles, as well as some more prominent Facebook users, and I think many would be surprised by how many photos I was able to access through this trick. Note that this code does not circumvent privacy settings in any way – it simply makes visible albums you can rightfully access but that Facebook has hidden from view otherwise.

At some point, users who have followed default album settings in the past and left many photos accessible to “everyone” are in for a shock when they realize the implications of those choices. I personally think it best for them to realize that now instead of later, which is why I decided to release this technique.

Facebook StumbleUpon Digg Twitter Instapaper FriendFeed Delicious Google Bookmarks Share/Bookmark

Positive Developments from Facebook

A few months back, I recall security analyst Kevin Johnson musing that the security community often hears negative stories about hacks and vulnerabilities, but rarely does one see positive reports about the times when security works and black hats fail. I thought about this during the Month of Facebook Bugs, when I came across one application (My City) whose ASP.NET framework blocked my XSS attempts stone cold.

While it’s no secret that I don’t always see eye-to-eye with the leadership of Facebook, I wanted to take this post to give them a few shout-outs instead of critiquing. Amid all the negative reports about Facebook decisions, I have seen a few developments I find encouraging.

First, Facebook has taken action against deceptive advertisements and ad networks that harvest application credentials to access user information. While I’ve argued that some of these steps were long overdue and that Facebook could have done even more, I’m grateful that they did something and that they cracked down hard on credential hijacking.

Second, one of the main responses I’ve advocated for application problems is simply to better educate developers, and I would say that Facebook has done a much better job emphasizing security issues recently. (I’m not taking credit for the change, simply applauding it as a move I endorse.) Last month, Ryan McGeehan (Facebook’s manager for security incident response) posted an official blog entry reminding developers of important security issues, providing helpful resources on the subject, and announcing a new Platform wiki article with even more information. I know from experience that Ryan is a great guy who cares about security – he patiently fielded dozens of e-mails from me in September as I relayed details on the Month of Facebook Bugs. I’m thrilled to see a security section on the main documentation site for the Facebook Platform. By the way, Facebook also has a fan page with information on security, including a section dedicated to white hats – you can get your name there if you follow their responsible disclosure guidelines.

Finally, Facebook began enforcing new, stricter Platform policies today. Among the changes, developers are now required to

Provide a link to your privacy policy in the Info section of your Application Profile page and on every page of your application.

I was honestly surprised that Facebook would require a link on every page. After seeing quite disappointing results in my study on application privacy policies this summer, I congratulate Facebook on raising the bar. Many users may not notice the new links, but a encouraging developers to establish and advertise privacy policies is a step in the right direction.

While I’m not afraid to make noise about negative trends or privacy risks I see in services such as Facebook or Google Wave, at the end of the day, it’s nothing personal. I may disagree with the developers or executives at Facebook about product architectures or content sharing, but I think we can all agree that we want to protect end users. The three steps listed above certainly help that goal, so in that regard, kudos to Facebook.

Facebook StumbleUpon Digg Twitter Instapaper FriendFeed Delicious Google Bookmarks Share/Bookmark

Fifteen significant social media & security events of 2009

I recently co-authored an article with Jennifer Leggio from ZDNet on the Fifteen significant social media & security events of 2009.  Be sure to check it out as there were *many* high profile attacks on social networks and their users this year.  The article also provides a preview of what we might see in 2010.  Thanks again to Jennifer for putting this article together!

Facebook Application Privacy Confusion Continues

Many technology journalists and privacy advocates have criticized aspects of Facebook’s new privacy controls and default settings. But I’ve noticed one aspect to the changes that I find disappointing, and thus far I’ve not seen it noted elsewhere.

You may recall that earlier this year, Facebook came under scrutiny by the Privacy Commissioner of Canada. Several concerns the Commissioner’s office raised related to Facebook applications. Readers of this blog were already quite familiar with privacy issues relating to applications, but the Canadian investigation brought them to the forefront, and Facebook responded by promising sweeping changes to their platform.

When the new privacy controls launched on my own Facebook profile, I took a look at the section for “Applications and Websites.” At first, my feelings were mixed. Facebook had finally made it clear that the checkboxes of various fields you could elect to share applied only to applications your friends used. (The previous setup was far more confusing and led to even major technology sites errantly reporting that the controls applied to applications you used as well.) But Facebook had also removed the option to exempt yourself from the Platform completely.

But then I clicked the button to “Learn More” about what I shared when using applications and web sites. I’ve long talked about the need to educate users, so perhaps this would finally clarify how much access applications have. Instead, I was stunned to read this statement:

When you visit a Facebook-enhanced application or website, it may access any information you have made visible to Everyone (Edit Profile Privacy) as well as your publicly available information. This includes your Name, Profile Picture, Gender, Current City, Networks, Friend List, and Pages. The application will request your permission to access any additional information it needs.

Excuse me?

At first, I thought this was simply false. The way I read it, authorizing an application gave it access to your PAI and anything visible to “Everyone,” but if the application also wanted, say, your favorite movies, it would ask you first. While Facebook has vowed to eventually roll out such a setup, it has not yet appeared and was not promised to be fully in place until fall of next year.

But then I realized what the paragraph was actually communicating. An application has access to your PAI and anything visible to “Everyone” as soon as you stop by – no authorization necessary. (This may lead to a few surprises and scares in the near future.) That last bit about requesting your permission for any additional information refers to authorizing the application. In other words, if the application needs any more data, it will request authorization – which gives it access to all of your personal data.

Some may counter that the confusion here lies with me alone, and I ought not presume that users will make the same mistake. However, given that users have already been trained to authorize applications before using them at all (not to mention whether users even distinguish applications from the Facebook brand), I’m quite certain this new paragraph will continue to produce the sort of myths I’ve seen published about the old application privacy settings. In any event, Facebook has resorted to language that could at best be described as somewhat vague.

Please correct me if you think I’m wrong, but I find the last sentence of Facebook’s new explanation very misleading. It gives the impression that applications will politely ask users for more personal details if they become particularly necessary, when in fact most people who use a given application have already authorized it and thus already given it full access to personal profile information.

After all of the controversies, studies, confusions, misstatements, and problems that have come about this past year regarding privacy and Facebook applications, and especially in light of the previous pressure from Canada, I would have thought that Facebook would take this opportunity to add a more thorough and clear exposition of what applications can access and do with user information. Perhaps I’m being too hard on their new attempt. But if the past is any indication, I expect user misunderstandings over Facebook applications to persist.

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

Facebook Privacy & Security Guide Video Released

I finally got around to recording and editing the video walkthrough of the Facebook Privacy & Security Guide.

The video clocks in at about 18 minutes.  I also included information about email/text alerts, how applications work, Facebook Ads, and how to hide your friends list from public searches.  Stay tuned for other guides and videos for MySpace, Twitter and LinkedIn.

Want to help with these guides and videos?  Join the volunteer mailing list or send me an email at feedback [At ]

1 12 13 14 15 16 35