Help, Facebook's Hacking Me!

by Jesse Farmer on Thursday, May 1, 2008

BBC's technology program, Click, is claiming to have "exposed a security flaw in the social networking site Facebook which could compromise privacy."

ReadWriteWeb, without a trace of humor, followed on with an article called Facebook Hacked Again. Yes, the title of the post was that sensationalist.

Fortunately for we Facebook users the BBC and ReadWriteWeb show a fundamental misunderstanding of what is happening, how applications can purportedly "steal" user information, and then proceed to scare us by obfuscating the possible solutions.

The BBC's Mistakes

Since the BBC's report is all video, here's a screen capture and a transcript of the voice-over that accompanies it.An 31337 H4X0R

And the transcript:

We managed to write a very simple application which steals a user's personal Facebook details, and those of all their friends, without their knowledge.

Their report bothers me first as an engineer because the BBC talks as if this is some sort of sophisticated attack. Just look at the screen capture.

That's right — unless you're elite enough to be sitting in room lit like a rave working with two MacBook Pros there's just no way you'd be able to pull this shit off. Leave it to us, kid, we're professionals.

Snark aside, here's what's happening. In the summer of 2006 Facebook opened up their REST API to third-party websites. Yes, this actually pre-dates the platform, which launched less than a year ago in May of 2007.

Among other things the API permits people to grant external websites permission to access a user's data. Since the launch of the Facebook platform most application exist on Facebook, but the API remains the same.

When you try to log into or add an application here's an example of what you'd see. I've highlighted some relevant parts. Add Application screen

So the BBC's claim that application can access a user's data "without their knowledge" is dubious at best. Sure, it's likely that the user will bypass all that text and go right for the big blue button, but the BBC report makes it sounds like applications are doing something sneaky.

Sorry, folks, but it's right there: Allow this application to know who I am and access my information. Check.

Imagine this exposé instead. "BBC Uncovers Fatal Flaw in Valet Parking System," in which our intrepid reporter poses as a valet and drives off with someone's car. It's so easy, and there's nothing stopping them!

But we trust valets not to do it because the valet will get fired and the police will arrest him. And it's the same on Facebook. In fact, Facebook requires developers adhere to its Terms of Use which explicitly forbids such uses of user information. Of course using this data for identity theft is more than just a violation of Facebook's Terms of Use, it's a violation of the law.

Exaggerated Dangers

The BBC mentions the above Terms of Use clause in passing, but then states quickly that your information is at risk if even only one of your friends installs an application. Yikes! Is that true?

Well, yes and no. Yes, under certain configurations applications can get information about a user's friends even if those friends haven't installed the application. But you're nowhere near as helpless as the BBC makes you seem.

Here is a screenshot of Facebook's Application Privacy page:

Notice the text above the field of options.

The following settings apply only to Facebook Platform applications to which you have not already granted access or explicitly restricted. For these applications, the information you select will be available to friends and other users who can already see your information on Facebook

The BBC and ReadWriteWeb are a day late and a dollar short. Not only is it against Facebook's rules to "steal" user data in this way, but Facebook actually provides mechanisms that allow users to secure their data. I, personally, don't let applications I haven't installed see more than my Facebook photo. They can't get my name, date of birth, location — any of that.

To summarize, the BBC and ReadWriteWeb didn't really uncover anything except a way to abuse a feature intentionally built into the Facebook platform in a way that Facebook anticipated two years ago. What they claim is technically accurate but the dangers are grossly exaggerated.

There are at least four levels of protection.

  1. Facebook forbids developers from storing user data in their Terms of Use.
  2. Facebook provides mechanisms for me to hide data from applications I have installed directly.
  3. For application that I haven't installed but my friends have installed, I have full control over what they can and cannot see on Facebook's Application Privacy page.
  4. Above all this, there is the law. Identity theft is illegal and using something like Facebook to steal personal data probably only increases the risks. If I were looking to steal someone's identity I'd rather just look through their garbage, personally.

This is not a hack and Facebook has controls for dealing with this on both the developer side and user side. Don't buy into the BBC's and RWW's sensationalism. Please.