Starbucks grotesquely mishandled their free coffee stunt—they could have been collecting credit card apps all day long.

Have any of you out there read the winter issue of 2600 (the hacker quarterly)? There's a pretty good article in there called "Facebook Applications Revealed" and it just serves to point out that many people just don't know what they're getting into when they click to add an application. In my opinion, it is irresponsible of Facebook to post assurances to its users that their data is just as secure when using Platform applications as they are when they are using the first party system. Of course, the most personal data still resides on Facebook servers, and one must be authenticated to get access to it; however, poorly-written applications can have numerous security holes that enable prankster "friends" or malicious hackers to gain access to other remotely stored information, e.g. mood histories, etc.
 
At any rate, it seems Facebook turns a blind eye to these applications that don't properly authenticate users for appropriate data access (e.g. Super Wall), and it seems developers don't really care to properly protect the information they are entrusted with. I have looked plenty of places, including the official Facebook Developers Wiki, and have found no mention of a set of best practices for identity/permission verification or data security for application developers. I am researching these particular vulnerabilities in order to make them more widely known and to help establish a set of suggestions to send or make available to developers that would assist them in properly identifying the user and only allowing said user to modify his/her data, as well as to assist them in verifying that a user has permission to view another user's application data (histories, etc.). At this point, I feel that there is not enough public awareness of these vulnerabilities or their implications. Many users don't know about them, and thus don't care. This provides no incentive for developers to modify their code and make their applications more secure.
 
Quite a few application developers fail to consider implementing adequate security measures in order to verify data ownership. The article I mentioned earlier points out particular vulnerabilities in the Moods, Free Gifts, and Super Wall as examples. In all three of those applications, User A can very easily modify User B's data by intercepting a form and modifying the uid before transmission. In addition, with some applications, User A can gain access to stored application data (e.g. history, etc.) for any User B, whether they are friends or not. Such applications blindly trust form data that can easily be tampered with, which is very clearly a bad idea. The Moods application allows unauthorized users to view the mood histories of non-friends, and with Firebug, anyone with the app can intercept their own mood change form before submitting it, change the uid in the form, and change someone else's mood.
 
In fact, someone has posted a screencast of this hack being executed in under 60 seconds, including commentary, on YouTube. See this link: http://www.youtube.com/watch?v=w65s1iyXqLo
 
ASuper Wall has a similar vulnerability that allows someone to intercept the form in a similar way and spoof messages from ANYONE to ANYONE (even a non-friend) just by changing the to and from uid's. Same thing with Free Gifts: you change the uid in the form before it's submitted and you can send a gift anonymously to anyone. Not only is it poor form for these developers to continue to ignore the fact that users trust them to establish and maintain a certain level of security and privacy, but in my opinion it may also be against Facebook's own Platform Application Guidelines, where it is clearly stated that "Applications may not[...] contain functionality that permits any person to impersonate a user of the Facebook Site or obtain access to the Facebook Site without authorization [or] disregard or circumvent any technical measures instituted by Facebook to ensure that the application only provides users with access to Facebook Site content that they would otherwise be able to view on the Facebook Site in accordance with any user privacy settings" (Facebook Platform Application Guidelines, Section II, Subsections 3 and 4). All three of these applications, and perhaps many more, violate the principle established by these rules by disregarding privacy settings and not properly authenticating users to view or modify certain data. I'm sure if someone had their privacy settings set to block everybody but friends from viewing their profile, they wouldn't want somebody changing their mood or spoofing a comment to them through Super Wall. In fact, Facebook's first core privacy principle is that "You should have control over your personal information" (Facebook Privacy Policy, Facebook Principles, Section 1). These applications, by not adhering to basic principles of internet security, take this control right out of the hands of users. This thread on the Facebook Developer Forum has a bit of discussion on how to properly authenticate users: http://forum.developers.facebook.com/viewtopic.php?id=11668.
 
At any rate, something needs to be done about this. I'm not sure what exactly, but I am sure that users need to know exactly what they're getting into when they add apps like this. I know at first it seems inconsequential that hackers can gain access to someone's Super Wall or Mood History, but this information could be used to mount large scale social engineering attacks if automated and coupled with other information: for example, one would tend to be much more likely to fall for a scam if he or she were depressed. The Moods application freely gives out this information to anyone wanting to take a peek. Coupled with a list of email addresses cross-referenced to user id's, such an attack could be made extremely effective with that added information. Super Wall post spoofing could be used to instigate fights between two friends or lovers. The possibilities are only limited by a social engineer's mind, and since Moods and Super Wall together boast almost two million active users, these seemingly small holes are too large for malicious minds-or those that protect us against them-to ignore. I hope you can help me get the word out.
 
Sincerely, Gregory

RELATED
"Facebook Takes Letting The Whole World See Your Private Photos Seriously"
(Door photo: roblisameehan)

I was reading some different articles about shredding paper while I was doing research into the type of paper shredder I had wanted to buy. It seems that the range in percentage of people who use a paper shredder are between 18% - 51%. That's a lot of people who don't shred paper and are susceptible to identity fraud.

I haven't had that happen yet, thankfully. But reading the stories in the paper or seeing news on TV definitely makes me aware that I don't want to be part of that club.

Since dumpster diving is perfectly legal in most areas of the country, you don't want your information floating around that is easily read. I will qualify this by saying that the majority of dumpster divers (like myself) are honest people and wouldn't even consider a crime of that nature. However it is the small percentage that always seems to ruin things for everyone and make life difficult.

Shredding can also be productive and fun. Instead of throwing out shredder leavings, use them as packing material, pet beds, or makeshift confetti for impromptu ticker-tape parades. If you don't want a shredder at home, use one in the office. If you have kids, consider a hamster-powered shredder. Just get a shredder. And resist the urge to shred the instructions.

Buy a Shredder [Frugal For Life]
(AP Photo/Paul Sancya)

It would be maps of shopping malls in your metro area, downloadable to your cell. But that's just the start of it. I would then envision participating shopping centers being outfitted with technology that could hone in on your cell signal when you activate this application on your cell. If you are looking for a specific store in the mall, you would then enter a voice command: such as "Wet Seal."

Your request would go to a database located on a server in the mall. The server would then retrieve Wet Seal's location in the mall from the database, and then compare that location with where you are at present. Optimally, this information could be derived from triangulating the source of your cell signal. More practically, your location could be obtained by you reciting the name of the nearest store to your current position.

Using your current location as Point A, and your desired destination within the mall as Point B, you would then receive a set of directions on your phone. You then should be able to play them back as talking directions. Just like your larger-world, outside-the-mall GPS or navigation system may be able to do right now.

Shaw thinks one way the service could pay for itself is as "a value-add for carriers, who might charge shopping malls a modest participation fee for being in the database"—but we think that's a very 1990s business model, and we'd prefer carriers be cut out of it completely since they don't play well with others. Much better is his idea that "individual retailers who would like to be in their mall's geolocator database could pay for ads" that would appear within the application. (Yes, we know, more ads. Someday you'll be able to pay for surgery with ads, and for the rest of your life your femur will broadcast little text messages to any RFID-equipped device that passes within 15 inches.) Even better than that, we think, is a model that doesn't tap the consumer for payment, whether in cash or ad views—if the service was helpful enough to increase shopping activity for a retailer, it should pay for itself.

"The best mobile application idea I can think of..shopping mall geolocation services!!" [ZDNet]
(Photo: Getty)

Fliers pasted around Ohio State's campus offered students a "free burrito" for showing their Ohio State ID at the restaurant. The fliers made no mention that filling out a credit card application was required. Ohio is arguing that this violates the definition of "free" in Ohio's consumer protection laws because the terms of the offer were not disclosed on the fliers.

Similar fliers were posted luring students to Potbelly Sandwich Works. Delicious, but deceptive.

State Of Ohio vs. Campus Dimensions, INC. (PDF) [State of Ohio]
Editorial: Citibank's credit card come-on proves there's no such thing as a free lunch [The Plain Dealer]