(Balakov)
After two security glitches were revealed today, Facebook was forced to shut down chat functions while it worked on a fix. One bug allowed users to see allegedly private chats, while another exposed pending friend requests. Facebook didn’t notify users whose accounts may have been compromised, presumably because, hey, they’re Facebook, and they don’t have to.
Facebook issued a statement this afternoon, insisting that the bugs had been fixed, and chat would soon be restored:
For a limited period of time, a bug permitted some users’ chat messages and pending friend requests to be made visible to their friends by manipulating the “preview my profile” feature of Facebook privacy settings. When we received reports of the problem, our engineers promptly diagnosed it and temporarily disabled the chat function. We also pushed out a fix to take care of the visible friend requests which is now complete. Chat will be turned back on across the site shortly. We worked quickly to resolve this matter, ensuring that once the bug was reported to us, a solution was quickly found and implemented.
At Consumer Reports’ “Social Insecurity” event yesterday, technology editor Jeff Fox said that social networks like Facebook encourage users to”drop their guard because it’s basically made up of friends and family, yet it’s a potentially dangerous environment. You’d never go out into Times Square and announce your personal information. Social networks are not that different.”
According to a CR study, 23% of Facebook’s users either don’t know that Facebook offers privacy controls, or choose not to use them, Of course, events like today’s don’t exactly inspire a lot of confidence in the ability of those tools to actually keep personal information private.
Facebook Security Flaw Publicizes Private Chats [NYTimes.com]
Consumer Reports survey: Social network users post risky information [Consumer Reports Electronics]
More From Consumerist
-
Facebook “Home” Makes Facebook The Center Of Your Android Phone’s Universe
-
Amazon Pulls SimCity 5 Downloads Amid Furor Over Constant Crashing & Slow Servers
-
This T-Mobile Chat Transcript Shows Why Online Customer Service May Not Be A Huge Improvement
-
Twitter Admits To Hack, Data For 250,000 Users Accessed
-
Man Wins Bug-Eating Contest To Get Free Snake, Then Collapses And Dies
The bug was that it was revealing private information without anyone paying them for it.
^^ this
Yup! Got it right on the very first post!
this is the by far the astutest observation in regard to the brave new world of the facebook experiment
Facebook didn’t notify users whose accounts may have been compromised, presumably because, hey, they’re Facebook, and they don’t have to.
Maybe it was everyone’s accounts that were compromised and and the only reason the PR statement said ‘some’ is because it doesn’t matter to the people who weren’t chatting and didn’t have pending friend requests.
Apparently Facebook existed a long time ago, in a galaxy far, far away…
Until they were kicked out for terrible privacy controls. Now they’re trying their luck in the Milky Way.
My favorite rule for social media is if you wouldn’t tell some random person walking down the street, don’t tell Facebook.
Nothing on there is secure and even less is private, but YOU have total control over what info FB can sell.
Nobody cares about your privacy or identity as much as you do.
My mom does!
I wish my mom did. No matter how many times I ask her to take her maiden name out of her FB profile she won’t. Apparently finding her highschool friends that she hasn’t cared about in 40 years is more important than my sisters and my credit security.
Maiden name is a stupid security measure anyway. Lots of women keep their maiden name or revert back to it after divorce (and that’s assuming they got married in the first place).
Yeah, because finding out your mom’s maiden name is so top-secret that only high ranking government officials can get it. If the company you are dealing with (bank or cc) uses maiden name as as their means to knowing if you are who you say you are then that is on them. I suggest you make up a maiden name. You are the one who gave it out.
dude, i totally tell random people on the street that i’m pissed that job interview went badly, and that i might have gotten an STD, and that i’m pretty sure that “chick” i picked up at the gay bar wasn’t really a chick….. what? Just me?
Right on top of things, those guys.
“For a limited period of time” = less than forever.
“some users’ chant accounts” = fewer than all but we’re not saying.
FarceBook security FTW.
CHAT, not chant. Edit button please…
Then again, “chant account” has a ring to it.
Oh, come on now…we don’t need the grammar police trolling the message boards.
Pffft not the GP. Was going to make a joke about monks using computers
“If you know the name of the miracle you would like to request, chant ‘one’ now.”
http://www.giantitp.com/comics/oots0007.html
LOL! “You have selected Colon Tumor” That was classic, thank you for the laugh!
Damn, you caught it before I could say anything! LOL
BTW your avatar made me queasy and that isn’t easy to do. I’d love to know how that happened.
Security is irrelevant to privacy – assume it will be hacked.
In this case, the hacking was made pretty darn easy. But the general principle stands.
I’m not sure if it matters, but I have had chat disabled from day one. With the amount of people I only quasi-like on my friends list, I have no desire to talk to them when I have perfectly good (and secure) alternative avenues to talk to people I actually want to.
HA! FOUND A TYPO!!! it says…
“When we received reports of the problem, our engineers…”
Silly consumers-Facebook doesn’t have engineers!
Sure they do. Engineers design systems that work, but only in one absolutely faultless set of exacting conditions, and have very little grasp of how ‘teh real world’ works.
Sad thing is, I’m going into engineering soon
This makes me happy that I finally got around to deleting my Facebook account yesterday, the whole website was already a mess of security holes and now this happens. Glad I got my information out of there when i did.
Heres one thing they DIDN’T tell you, in either article, but i found from my own little research before the fix:
If you typed in the address bar, say, http://www.facebook.com/profile.php?id=%5Bprofileid%5D&viewas=%5Bsameprofileid or different one, as long as it’s in her friend list] you can view the full page of a non-friend. I tried this with an ex who i removed from my list, and has her privacy settings so high, you can’t even get any information past her UID and name from the new social graph.
Wow. That’s a pretty simple “exploit”. It’s an example of glaringly bad security QA.
Bug exposing private data! Huh, I always thought it was the users gleefully putting it all out there. My bad.
Facebook aside – this is just one example of the risks of “The Cloud” – where you trust other people to run your applications on their computers in their data center, or where you store your data on their computers in their data center.
If the data has any value to you whatsoever, don’t run it in someone else’s cloud. If you own/operate your own cloud, that’s generally OK. Using someone elses… well, then you get Facebook, MySpace, and their ilk…
I still can’t figure out why people need to post all their crap anyhow. Does anyone give a shit?