Have any of you out there read the winter issue of 2600 (the hacker quarterly)? There's a pretty good article in there called "Facebook Applications Revealed" and it just serves to point out that many people just don't know what they're getting into when they click to add an application. In my opinion, it is irresponsible of Facebook to post assurances to its users that their data is just as secure when using Platform applications as they are when they are using the first party system. Of course, the most personal data still resides on Facebook servers, and one must be authenticated to get access to it; however, poorly-written applications can have numerous security holes that enable prankster "friends" or malicious hackers to gain access to other remotely stored information, e.g. mood histories, etc.
 
At any rate, it seems Facebook turns a blind eye to these applications that don't properly authenticate users for appropriate data access (e.g. Super Wall), and it seems developers don't really care to properly protect the information they are entrusted with. I have looked plenty of places, including the official Facebook Developers Wiki, and have found no mention of a set of best practices for identity/permission verification or data security for application developers. I am researching these particular vulnerabilities in order to make them more widely known and to help establish a set of suggestions to send or make available to developers that would assist them in properly identifying the user and only allowing said user to modify his/her data, as well as to assist them in verifying that a user has permission to view another user's application data (histories, etc.). At this point, I feel that there is not enough public awareness of these vulnerabilities or their implications. Many users don't know about them, and thus don't care. This provides no incentive for developers to modify their code and make their applications more secure.
 
Quite a few application developers fail to consider implementing adequate security measures in order to verify data ownership. The article I mentioned earlier points out particular vulnerabilities in the Moods, Free Gifts, and Super Wall as examples. In all three of those applications, User A can very easily modify User B's data by intercepting a form and modifying the uid before transmission. In addition, with some applications, User A can gain access to stored application data (e.g. history, etc.) for any User B, whether they are friends or not. Such applications blindly trust form data that can easily be tampered with, which is very clearly a bad idea. The Moods application allows unauthorized users to view the mood histories of non-friends, and with Firebug, anyone with the app can intercept their own mood change form before submitting it, change the uid in the form, and change someone else's mood.
 
In fact, someone has posted a screencast of this hack being executed in under 60 seconds, including commentary, on YouTube. See this link: http://www.youtube.com/watch?v=w65s1iyXqLo
 
ASuper Wall has a similar vulnerability that allows someone to intercept the form in a similar way and spoof messages from ANYONE to ANYONE (even a non-friend) just by changing the to and from uid's. Same thing with Free Gifts: you change the uid in the form before it's submitted and you can send a gift anonymously to anyone. Not only is it poor form for these developers to continue to ignore the fact that users trust them to establish and maintain a certain level of security and privacy, but in my opinion it may also be against Facebook's own Platform Application Guidelines, where it is clearly stated that "Applications may not[...] contain functionality that permits any person to impersonate a user of the Facebook Site or obtain access to the Facebook Site without authorization [or] disregard or circumvent any technical measures instituted by Facebook to ensure that the application only provides users with access to Facebook Site content that they would otherwise be able to view on the Facebook Site in accordance with any user privacy settings" (Facebook Platform Application Guidelines, Section II, Subsections 3 and 4). All three of these applications, and perhaps many more, violate the principle established by these rules by disregarding privacy settings and not properly authenticating users to view or modify certain data. I'm sure if someone had their privacy settings set to block everybody but friends from viewing their profile, they wouldn't want somebody changing their mood or spoofing a comment to them through Super Wall. In fact, Facebook's first core privacy principle is that "You should have control over your personal information" (Facebook Privacy Policy, Facebook Principles, Section 1). These applications, by not adhering to basic principles of internet security, take this control right out of the hands of users. This thread on the Facebook Developer Forum has a bit of discussion on how to properly authenticate users: http://forum.developers.facebook.com/viewtopic.php?id=11668.
 
At any rate, something needs to be done about this. I'm not sure what exactly, but I am sure that users need to know exactly what they're getting into when they add apps like this. I know at first it seems inconsequential that hackers can gain access to someone's Super Wall or Mood History, but this information could be used to mount large scale social engineering attacks if automated and coupled with other information: for example, one would tend to be much more likely to fall for a scam if he or she were depressed. The Moods application freely gives out this information to anyone wanting to take a peek. Coupled with a list of email addresses cross-referenced to user id's, such an attack could be made extremely effective with that added information. Super Wall post spoofing could be used to instigate fights between two friends or lovers. The possibilities are only limited by a social engineer's mind, and since Moods and Super Wall together boast almost two million active users, these seemingly small holes are too large for malicious minds-or those that protect us against them-to ignore. I hope you can help me get the word out.
 
Sincerely, Gregory

RELATED
"Facebook Takes Letting The Whole World See Your Private Photos Seriously"
(Door photo: roblisameehan)

Photographs taken of Liam Johns' crib by the Sacramento County Coroner's Office clearly show where it came apart.

The drop rail had detached from its plastic track, creating a gap through which the 9-month-old boy slipped feet-first. Instead of falling to the floor, Liam got his head stuck between the rail and the mattress. Trapped in a hanging position, the boy asphyxiated.

Liam's April 2005 death prompted an investigation by a federal watchdog agency and a family lawsuit against the crib's manufacturer, Simplicity Inc.

But the company and the Consumer Product Safety Commission didn't warn parents across the country about the potentially fatal flaw in Simplicity cribs—not after Liam suffocated, not after more complaints about the crib rails and not after two more infants died.

Once the Tribune began questioning the company and the agency this month, a massive recall of Simplicity cribs followed.

"The CPSC didn't even pick up the crib until after I told them about it," said Tribune reporter Maurice Possley. "A kid died in April of '05, and a kid dies in November of 2006, and you're the parents of a kid who dies in February of '07, and you know that something could have been done about it? Boy, I'd be really, really angry."

Missteps delayed recall of deadly cribs [Chicago Tribune]
Crib Recall Came Years After Infant Deaths [ABC News]
Did an Investigative Reporter Awaken the CPSC? [The Pump Handle]

Apparently, the drop-side can detach from the crib, which can create a dangerous gap and lead to entrapment and suffocation.

The Simplicity models included in the recall are: Aspen 3 in 1, Aspen 4 in 1, Nursery-in-a-Box, Crib N Changer Combo, Chelsea and Pooh 4 in 1. The recall also involves the following Simplicity cribs that used the Graco logo: Aspen 3 in 1, Ultra 3 in 1, Ultra 4 in1, Ultra 5 in 1, Whitney and the Trio.

The cribs were sold from 1998 to May 2007.

According to the New York Times, some of the older recalled cribs feature Winne-the-Pooh, but Disney no longer licenses its characters with Simplicity. The cribs were made in China and sold at Target and Walmart among other retailers.

This isn't the first recall for Simplicity, they've been subject to 4 recalls since 2005, according to the NYT.

"Simplicity builds safe products, and we work every day to make our products better and better," Mr. Waldman,president for Simplicity said. The company is offering repair kits, but would not tell the NYT if refunds would be provided to customers who requested them.

Here's Simplicity's contact info: (888) 593-9274 between 8:30 a.m. and 10 p.m. ET Monday through Thursday, between 8 a.m. and 5 p.m. ET on Friday, and between 9 a.m. and 5 p.m. ET on Saturday
www.simplicityforchildren.com

Cribs Recalled After Deaths of 2 Children [NYT]
About 1 Million Cribs Recalled Due To Failures Resulting In Infant Deaths [CPSC]

Fantastic. This is why testing is important! The rest of us can just wait and upgrade when it's safe. Er, hang on, is Windows XP safe yet? Never mind.—MEGHANN MARCO

Flaws Are Detected in Microsoft's Vista [New York Times]