Have any of you out there read the winter issue of 2600 (the hacker quarterly)? There's a pretty good article in there called "Facebook Applications Revealed" and it just serves to point out that many people just don't know what they're getting into when they click to add an application. In my opinion, it is irresponsible of Facebook to post assurances to its users that their data is just as secure when using Platform applications as they are when they are using the first party system. Of course, the most personal data still resides on Facebook servers, and one must be authenticated to get access to it; however, poorly-written applications can have numerous security holes that enable prankster "friends" or malicious hackers to gain access to other remotely stored information, e.g. mood histories, etc.
 
At any rate, it seems Facebook turns a blind eye to these applications that don't properly authenticate users for appropriate data access (e.g. Super Wall), and it seems developers don't really care to properly protect the information they are entrusted with. I have looked plenty of places, including the official Facebook Developers Wiki, and have found no mention of a set of best practices for identity/permission verification or data security for application developers. I am researching these particular vulnerabilities in order to make them more widely known and to help establish a set of suggestions to send or make available to developers that would assist them in properly identifying the user and only allowing said user to modify his/her data, as well as to assist them in verifying that a user has permission to view another user's application data (histories, etc.). At this point, I feel that there is not enough public awareness of these vulnerabilities or their implications. Many users don't know about them, and thus don't care. This provides no incentive for developers to modify their code and make their applications more secure.
 
Quite a few application developers fail to consider implementing adequate security measures in order to verify data ownership. The article I mentioned earlier points out particular vulnerabilities in the Moods, Free Gifts, and Super Wall as examples. In all three of those applications, User A can very easily modify User B's data by intercepting a form and modifying the uid before transmission. In addition, with some applications, User A can gain access to stored application data (e.g. history, etc.) for any User B, whether they are friends or not. Such applications blindly trust form data that can easily be tampered with, which is very clearly a bad idea. The Moods application allows unauthorized users to view the mood histories of non-friends, and with Firebug, anyone with the app can intercept their own mood change form before submitting it, change the uid in the form, and change someone else's mood.
 
In fact, someone has posted a screencast of this hack being executed in under 60 seconds, including commentary, on YouTube. See this link: http://www.youtube.com/watch?v=w65s1iyXqLo
 
ASuper Wall has a similar vulnerability that allows someone to intercept the form in a similar way and spoof messages from ANYONE to ANYONE (even a non-friend) just by changing the to and from uid's. Same thing with Free Gifts: you change the uid in the form before it's submitted and you can send a gift anonymously to anyone. Not only is it poor form for these developers to continue to ignore the fact that users trust them to establish and maintain a certain level of security and privacy, but in my opinion it may also be against Facebook's own Platform Application Guidelines, where it is clearly stated that "Applications may not[...] contain functionality that permits any person to impersonate a user of the Facebook Site or obtain access to the Facebook Site without authorization [or] disregard or circumvent any technical measures instituted by Facebook to ensure that the application only provides users with access to Facebook Site content that they would otherwise be able to view on the Facebook Site in accordance with any user privacy settings" (Facebook Platform Application Guidelines, Section II, Subsections 3 and 4). All three of these applications, and perhaps many more, violate the principle established by these rules by disregarding privacy settings and not properly authenticating users to view or modify certain data. I'm sure if someone had their privacy settings set to block everybody but friends from viewing their profile, they wouldn't want somebody changing their mood or spoofing a comment to them through Super Wall. In fact, Facebook's first core privacy principle is that "You should have control over your personal information" (Facebook Privacy Policy, Facebook Principles, Section 1). These applications, by not adhering to basic principles of internet security, take this control right out of the hands of users. This thread on the Facebook Developer Forum has a bit of discussion on how to properly authenticate users: http://forum.developers.facebook.com/viewtopic.php?id=11668.
 
At any rate, something needs to be done about this. I'm not sure what exactly, but I am sure that users need to know exactly what they're getting into when they add apps like this. I know at first it seems inconsequential that hackers can gain access to someone's Super Wall or Mood History, but this information could be used to mount large scale social engineering attacks if automated and coupled with other information: for example, one would tend to be much more likely to fall for a scam if he or she were depressed. The Moods application freely gives out this information to anyone wanting to take a peek. Coupled with a list of email addresses cross-referenced to user id's, such an attack could be made extremely effective with that added information. Super Wall post spoofing could be used to instigate fights between two friends or lovers. The possibilities are only limited by a social engineer's mind, and since Moods and Super Wall together boast almost two million active users, these seemingly small holes are too large for malicious minds-or those that protect us against them-to ignore. I hope you can help me get the word out.
 
Sincerely, Gregory

RELATED
"Facebook Takes Letting The Whole World See Your Private Photos Seriously"
(Door photo: roblisameehan)

Here's the recording of us, spruced up by the visual wizardy of our video slave Alex Goldberg, calling Investor Relations (480-693-1227) yesterday, pressing 0, and brute forcing our way to somebody, anybody, any live person to help us just file a simple (and yes, probably totally hopeless) Lost and Found request.

We recommend this technique if you're faced with an antagonistic operator, or, as in our case, a company that tries to prevent you from even talking to an operator. — BEN POPKEN

RELATED:
US Airways Lost And Found: "That's Pretty Low On Our Priority List"
UPDATE: US Airways Broken Lost And Found Page
US Airways Numbers That Don't Work Quite Right
US Airways Broken Lost And Found Page

Like many companies, Comcast doesn't train its customer service reps enough in security verification. The result is that anyone can call up, pretend to be a service tech, and get your info. Criminals can pick up pieces from one company and use them to get more information out of another, and so on. They can use the end result to steal your identity, your bank account information, and other fell deeds.

Guess that's what happens when you outsource staff all your customer service to facilities with incompetent and poorly trained employees. — BEN POPKEN

005 - Social Engineering [Cmd Radio] (Thanks to Rich!)
Download the clip (MP3)
Download the full show (MP3)

"In a victory over data miners who used fraud, computer hacking and "social engineering" to collect the private cell phone numbers and calling histories of its customers, Atlanta-based Cingular Wireless has been awarded $1,135,000 in federal court."

The complaint stated that the defendants "engage[d] in deceit, trickery and dishonesty to obtain private information from Cingular's (customer service representatives) through 'social engineering,' improper hacking and/or through unauthorized access to online account information stored on Cingular's database."

Damn. How shitty is your company when Cingular gets to take the moral highground?

"This victory underscores the fact that Cingular will not tolerate data burglars," said Cingular's executive vice president and general counsel Joaquin Carbonell in a statement. "We are fighting to protect customer privacy on other fronts as well, including filing new lawsuits against telemarketers and spammers." I'm warm and fuzzy all over. —MEGHANN MARCO

Cingular Wins $1.1M Victory Over Data Miners [Law]