Major Facebook Security Bug -- On Top Of Bad Policy

Facebook recently added this "Connections" feature which many of you probably unwittingly signed up for. I did. Each time you would log onto facebook, it would give you the opportunity to convert all the things you entered into your profile page into "connections" -- your music, likes, interests, and so on.

Programming: Scary and Insecure

I'll explain the new policy below, but far more frightening is a bug I came across while messing with the new privacy settings.

The picture at left is my profile as it would appear to one of my friends. This is something you can do in Privacy settings.

Those chat windows are not mine.

Those message waiting, friend request, and status update indicators are not mine.

I can see my friends' outstanding friend requests, and type in the chat windows.

I have no idea what the practical implication of this bug might be, but it is very clear that Facebook's code does not isolate your profile and session information from others at a basic level. Like a jilted lover, Facebook has become scary and insecure.

There is no way that any system with a functioning security model would ever let something like this happen. What this means is that information which should only be available to my friend when they are logged in, was shown to someone else.

My friend's friend requests.
I am not nearly this popular.

Let me repeat this. This should never happen, ever. Even if someone made a programming error in this section (that shows you what your profile would look like to someone else) -- there is no way I should ever have seen open chat windows or friend requests. That information, related to my friends' profile and session, should be at the highest possible level of security in Facebook and never shown to anyone other than that specific user, when they are logged in.

This raises serious concerns about the hackability of Facebook - that is, it's almost certainly vulnerable to fairly basic security exploits. Core profile information is not only unprotected at a basic level but was shown to me accidentally.

Is this bug reproducible?

Yes. I have a "joke" facebook account that is friends with a few of my friends. I sent myself a message from the "joke" account, and opened up a chat window in my real account.

When logged in using my joke account (from a different computer entirely) and viewing my "joke" profile as my real account, I could see the message waiting indicator, and the chat window that I had open in my real account.

Did you tell facebook about it?

Yes, and it sure took some doing to find their bug report form. Now taking bets on how soon it will be before my account is disabled, which is their usual response to any communication about a problem.

This Isn't Exactly Rare

After a bit of googling, there are numerous reports of similar security breaches in the last couple months, which further reinforces just how shaky the basic security design of Facebook is.

Faceook bug might have exposed your inbox - February 25, 2010

Facebook bug delivers mail to the wrong people - February 25, 2010

Facebook bug exposes private email addresses - April 1, 2010


Policy: Bad

This change came with new privacy settings, which seems to be a fairly routine event these days. Most people probably didn't realize that by finally acquiescing to the "connections" thing, you made all that information public. This article explains what "connections" does to privacy. The long and short is that anything you "like" is now publically associated with your name, and there's nothing you can do about it.

Supposedly, you can prevent your "likes" from appearing directly on your facebook page, though in practice that does not seem to work. But even if you could, from the viewpoint of the thing itself that you are "liking," your name will show up on their list, meaning that it will end up in every marketing database known to man.