BBC's technology program, Click, is claiming to have "exposed a security flaw in the social networking site Facebook which could compromise privacy."
ReadWriteWeb, without a trace of humor, followed on with an article called Facebook Hacked Again. Yes, the title of the post was that sensationalist.
Fortunately for we Facebook users the BBC and ReadWriteWeb show a fundamental misunderstanding of what is happening, how applications can purportedly "steal" user information, and then proceed to scare us by obfuscating the possible solutions.
The BBC's Mistakes
Since the BBC's report is all video, here's a screen capture and a transcript of the voice-over that accompanies it.
And the transcript:
We managed to write a very simple application which steals a user's personal Facebook details, and those of all their friends, without their knowledge.
Their report bothers me first as an engineer because the BBC talks as if this is some sort of sophisticated attack. Just look at the screen capture.
That's right — unless you're elite enough to be sitting in room lit like a rave working with two MacBook Pros there's just no way you'd be able to pull this shit off. Leave it to us, kid, we're professionals.
Snark aside, here's what's happening. In the summer of 2006 Facebook opened up their REST API to third-party websites. Yes, this actually pre-dates the platform, which launched less than a year ago in May of 2007.
Among other things the API permits people to grant external websites permission to access a user's data. Since the launch of the Facebook platform most application exist on Facebook, but the API remains the same.
When you try to log into or add an application here's an example of what you'd see. I've highlighted some relevant parts.
So the BBC's claim that application can access a user's data "without their knowledge" is dubious at best. Sure, it's likely that the user will bypass all that text and go right for the big blue button, but the BBC report makes it sounds like applications are doing something sneaky.
Sorry, folks, but it's right there: Allow this application to know who I am and access my information. Check.
Imagine this exposé instead. "BBC Uncovers Fatal Flaw in Valet Parking System," in which our intrepid reporter poses as a valet and drives off with someone's car. It's so easy, and there's nothing stopping them!
But we trust valets not to do it because the valet will get fired and the police will arrest him. And it's the same on Facebook. In fact, Facebook requires developers adhere to its Terms of Use which explicitly forbids such uses of user information. Of course using this data for identity theft is more than just a violation of Facebook's Terms of Use, it's a violation of the law.
Exaggerated Dangers
The BBC mentions the above Terms of Use clause in passing, but then states quickly that your information is at risk if even only one of your friends installs an application. Yikes! Is that true?
Well, yes and no. Yes, under certain configurations applications can get information about a user's friends even if those friends haven't installed the application. But you're nowhere near as helpless as the BBC makes you seem.
Here is a screenshot of Facebook's Application Privacy page: 
Notice the text above the field of options.
The following settings apply only to Facebook Platform applications to which you have not already granted access or explicitly restricted. For these applications, the information you select will be available to friends and other users who can already see your information on Facebook
The BBC and ReadWriteWeb are a day late and a dollar short. Not only is it against Facebook's rules to "steal" user data in this way, but Facebook actually provides mechanisms that allow users to secure their data. I, personally, don't let applications I haven't installed see more than my Facebook photo. They can't get my name, date of birth, location — any of that.
To summarize, the BBC and ReadWriteWeb didn't really uncover anything except a way to abuse a feature intentionally built into the Facebook platform in a way that Facebook anticipated two years ago. What they claim is technically accurate but the dangers are grossly exaggerated.
There are at least four levels of protection.
- Facebook forbids developers from storing user data in their Terms of Use.
- Facebook provides mechanisms for me to hide data from applications I have installed directly.
- For application that I haven't installed but my friends have installed, I have full control over what they can and cannot see on Facebook's Application Privacy page.
- Above all this, there is the law. Identity theft is illegal and using something like Facebook to steal personal data probably only increases the risks. If I were looking to steal someone's identity I'd rather just look through their garbage, personally.
This is not a hack and Facebook has controls for dealing with this on both the developer side and user side. Don't buy into the BBC's and RWW's sensationalism. Please.
the truth is that app can collect friends data
>> For application that I haven’t installed but my friends have installed, I have full control over >> what they can and cannot see on Facebook’s Application Privacy page.
the problem is - you even don’t know what apps your friends use
so how can you block them. supposed that you trust your friends.
Anatoly,
Look at the privacy page. There are no references to any specific applications.
It applies to any and all applications I haven’t explicitly granted or denied access to my information. It says that right in the text of the page: “The following settings apply only to Facebook Platform applications to which you have not already granted access or explicitly restricted.”
I can do three things with applications: whitelist them, blacklist them, and set the default access policy. The Application Privacy page, which is the section you’re quoting, lets me set the default policy.
I’ve set it so, by default, applications can only get my profile photo. If a friend installs an app I haven’t whitelisted or blacklisted that’s all it can access.
@Anatoly - the privacy configuration noted above is a universal setting, so there’s no need to know what applications your friends are using. You’re setting your privacy as regards all their applications.
As regards the article as a whole, while I think the BBC exaggerated the danger some, I think this underestimates it. Yes, I think Facebook has got itself legally covered because of the options it’s providing users. But I also think it’s legitimate to highlight that many (most?) Facebook users may not be the most tech-savvy and that the potential dangers, and the extent to which they can protect themselves using Facebook’s own settings, are going to go over their head. Certainly it’s not something that Facebook highlights, for obvious reasons.
Robin,
I’ll eat my words if there’s one instance of identity theft aided by this technique. IMO it’s too complicated, the benefit is too little, and it’s too easy to mitigate if it becomes known.
I see, for example, people getting their Facebook accounts phished on a regular basis and spamming their friends with ring tone offers. People who have access to a real, live account can do much more damage, e.g., they can get people’s emails and phone numbers, which is simply impossible with the API.
I think you unfairly throw RRW under the bus. Their headline was not sensationalist in the least (which is obvious to anyone who, you know, read the article). In fact they are saying “Yawn yawn, Facebook Hacked Again… surprise surprise.” Which, by the very nature of the fact that Facebook’s “rules” have been usurped by a clever programmer and users data taken advantage of means that, indeed, “Facebook was hacked”.
RWW go on to point out the need for user action to allow such exploits to work. They also privilege their readers to the facts that commenter Robin Cannon pointed out: most users are unaware of the risk involved in allowing 3rd party access to data. Most users don’t understand REST requests or APIs. Most users would be shocked to find out that their favorite Facebook applications are not official Facebook properties in the least. (Do you actually think most people pay attention to all the squiggly patterns that you and I call “words” (aka the plain warnings about 3rd party authorization)?? They don’t.)
The BBC was using language that they knew the common person would understand and hoped it would force them to be very leery next time they log into Facebook (as well they should be)… something you, in a hasty act of injustice, are trying to downplay.
So, in the interest of all the “moms” out there take a step back and recall the BBC piece and then read your article… who is dangerous? You are. After watching the BBC piece my Mom would be incredibly cautious with her Facebook account for fear of “hackery” or foul-play. Your article, on the other hand, make’s it sound like the world is peachy and Facebook and “the law” are policing everything to keep us all safe from malice. Anyone with an iota of intelligence and know-how concerning the web should be well aware that our data are not safe and average people need all the help they can get in realizing that they should not be so free with their trust. In the future I would hope, that in the interest of my mom, you would think twice before A.) trying to “punk out” mainstream media for informing their audience of the dangers of personal information online and B.) Criticizing a headline of a fellow blog without reading the article it identifies.
Matt,
First, their title sure as hell is sensationalist. Facebook wasn’t “hacked,” unless you consider someone violating an end-user license “hacking.” No technical controls were circumvented. The headline is there to get pageviews, period.
Second, the TOS was not usurped, it was violated, and the programmer was not clever. The Facebook API supports this behavior, for heaven’s sake! That’s why the TOS forbids it and why there are two mechanisms by which end-users can control the level of access applications have to their information.
Third, I did read the article.
Fourth, RWW was wrong on the facts, just as the BBC was. Read the third paragraph in their story. I’ll reproduce it here:
This is simply wrong. Facebook’s Application Privacy page is there precisely for this purpose. I can stop my friends’ applications from accessing my information. The level of control I have is surprisingly granular, actually.
But yes, most users aren’t savvy enough to move beyond the default settings, and most don’t read the fine print. Of course I understand that.
At best the evidence supports an argument that Facebook users are at risk to have some of their person details stolen by third-parties. Given that I know of no instance where this scenario played out, at least the “severe” scenario painted by the BBC and RWW, I’m not too worried and Grandma shouldn’t be either.
In short, all of this is intended behavior. Facebook anticipated it two years ago when they first launched the API and put several levels of control to prevent it. Both the BBC and RWW, by talking about “exploits,” “attacks,” “hackers,” etc. are just ginning up an empty story to get pageviews. Simple as that.