Facebook Disables Chat After Bug Exposes Private Data

After two security glitches were revealed today, Facebook was forced to shut down chat functions while it worked on a fix. One bug allowed users to see allegedly private chats, while another exposed pending friend requests. Facebook didn’t notify users whose accounts may have been compromised, presumably because, hey, they’re Facebook, and they don’t have to.

Facebook issued a statement this afternoon, insisting that the bugs had been fixed, and chat would soon be restored:

For a limited period of time, a bug permitted some users’ chat messages and pending friend requests to be made visible to their friends by manipulating the “preview my profile” feature of Facebook privacy settings. When we received reports of the problem, our engineers promptly diagnosed it and temporarily disabled the chat function. We also pushed out a fix to take care of the visible friend requests which is now complete. Chat will be turned back on across the site shortly. We worked quickly to resolve this matter, ensuring that once the bug was reported to us, a solution was quickly found and implemented.

At Consumer Reports’ “Social Insecurity” event yesterday, technology editor Jeff Fox said that social networks like Facebook encourage users to”drop their guard because it’s basically made up of friends and family, yet it’s a potentially dangerous environment. You’d never go out into Times Square and announce your personal information. Social networks are not that different.”

According to a CR study, 23% of Facebook’s users either don’t know that Facebook offers privacy controls, or choose not to use them, Of course, events like today’s don’t exactly inspire a lot of confidence in the ability of those tools to actually keep personal information private.

Facebook Security Flaw Publicizes Private Chats [NYTimes.com]
Consumer Reports survey: Social network users post risky information [Consumer Reports Electronics]

Comments

Edit Your Comment

  1. diasdiem says:

    The bug was that it was revealing private information without anyone paying them for it.

  2. Rectilinear Propagation says:

    Facebook didn’t notify users whose accounts may have been compromised, presumably because, hey, they’re Facebook, and they don’t have to.

    Maybe it was everyone’s accounts that were compromised and and the only reason the PR statement said ‘some’ is because it doesn’t matter to the people who weren’t chatting and didn’t have pending friend requests.

  3. Loias supports harsher punishments against corporations says:

    Apparently Facebook existed a long time ago, in a galaxy far, far away…

    Until they were kicked out for terrible privacy controls. Now they’re trying their luck in the Milky Way.

  4. s017jrs says:

    My favorite rule for social media is if you wouldn’t tell some random person walking down the street, don’t tell Facebook.
    Nothing on there is secure and even less is private, but YOU have total control over what info FB can sell.
    Nobody cares about your privacy or identity as much as you do.

    • Loias supports harsher punishments against corporations says:

      My mom does!

      • s017jrs says:

        I wish my mom did. No matter how many times I ask her to take her maiden name out of her FB profile she won’t. Apparently finding her highschool friends that she hasn’t cared about in 40 years is more important than my sisters and my credit security.

        • Rectilinear Propagation says:

          Maiden name is a stupid security measure anyway. Lots of women keep their maiden name or revert back to it after divorce (and that’s assuming they got married in the first place).

        • MichiganWolverine says:

          Yeah, because finding out your mom’s maiden name is so top-secret that only high ranking government officials can get it. If the company you are dealing with (bank or cc) uses maiden name as as their means to knowing if you are who you say you are then that is on them. I suggest you make up a maiden name. You are the one who gave it out.

    • FacebookAppMaker says:

      dude, i totally tell random people on the street that i’m pissed that job interview went badly, and that i might have gotten an STD, and that i’m pretty sure that “chick” i picked up at the gay bar wasn’t really a chick….. what? Just me?

  5. legwork says:

    Right on top of things, those guys.

    “For a limited period of time” = less than forever.
    “some users’ chant accounts” = fewer than all but we’re not saying.

    FarceBook security FTW.

  6. crb042 says:

    Security is irrelevant to privacy – assume it will be hacked.

    In this case, the hacking was made pretty darn easy. But the general principle stands.

  7. ajlei says:

    I’m not sure if it matters, but I have had chat disabled from day one. With the amount of people I only quasi-like on my friends list, I have no desire to talk to them when I have perfectly good (and secure) alternative avenues to talk to people I actually want to.

  8. Wang_Chung_Tonight says:

    HA! FOUND A TYPO!!! it says…

    “When we received reports of the problem, our engineers…”

    Silly consumers-Facebook doesn’t have engineers!

    • Mr. Fix-It says: "Canadian Bacon is best bacon!" says:

      Sure they do. Engineers design systems that work, but only in one absolutely faultless set of exacting conditions, and have very little grasp of how ‘teh real world’ works.

      Sad thing is, I’m going into engineering soon :(

  9. Little Peeps says:

    This makes me happy that I finally got around to deleting my Facebook account yesterday, the whole website was already a mess of security holes and now this happens. Glad I got my information out of there when i did.

  10. FacebookAppMaker says:

    Heres one thing they DIDN’T tell you, in either article, but i found from my own little research before the fix:

    If you typed in the address bar, say, http://www.facebook.com/profile.php?id=%5Bprofileid%5D&viewas=%5Bsameprofileid or different one, as long as it’s in her friend list] you can view the full page of a non-friend. I tried this with an ex who i removed from my list, and has her privacy settings so high, you can’t even get any information past her UID and name from the new social graph.

    • skapig says:

      Wow. That’s a pretty simple “exploit”. It’s an example of glaringly bad security QA.

  11. Invader Zim says:

    Bug exposing private data! Huh, I always thought it was the users gleefully putting it all out there. My bad.

  12. dg says:

    Facebook aside – this is just one example of the risks of “The Cloud” – where you trust other people to run your applications on their computers in their data center, or where you store your data on their computers in their data center.

    If the data has any value to you whatsoever, don’t run it in someone else’s cloud. If you own/operate your own cloud, that’s generally OK. Using someone elses… well, then you get Facebook, MySpace, and their ilk…

  13. AllanG54 says:

    I still can’t figure out why people need to post all their crap anyhow. Does anyone give a shit?