

PSN automatically "roots" your Facebook, no permission granted. - loucal

I have been meaning to link up my modern warfare 3 account with facebook (new feature) so I could see which of my facebook friends play.  Today I finally did it and paid very close attention to the permission I was granting to the game.  Call of duty asks for permission to access all your basic info, view your photos, and post to your wall.  A bit hefty, but I wanted to see who else was playing modern warfare 3 so I agreed.  I was logged in, and when I went to my friends list i was informed it found no results so was pretty much pointless.  Immediately I checked my account settings on facebook thinking I would just remove access and forget about the whole thing.  I was not so shocked to find that call of duty had allowed itself more access than it asked for.  I WAS however shocked that there was another app allowed in the last 24 hours called 'Playstation Network' and it had a pagelong list of access permissions all of which were completely open and I had never been asked to allow that. (I'm pretty sure it just opened up every permission setting possible on facebook) Seriously, check it out yourself if you have the game on ps3.  I would take a screenshot but I was so disturbed the first reaction was to of course revoke all access.  Obviously any information they could access would have been crawled and indexed in sony's servers in those few minutes, but it was  all I could do of course. Has anyone else been disturbed by this?  It is particularly ironic that sony not so long ago lost all psn users' personal and financial data to crackers, and now they want to underhandedly grab more of it from our facebook accounts.  Please help me bring some attention to this.
======
brian_cloutier
I'm being pedantic, but "roots your Facebook" is a massive misuse of the word
root.

I doubt Sony has the ability to do anything it wants with your account (It
can't change your password, it can't revoke permissions of another app) so
they haven't gained "root access" to your account.

I also doubt that Sony is hacking or getting this access through illicit
means. Sony doesn't "root" your account through some sort of exploit, Facebook
has most likely given them that access. (As a few others have mentioned)

You're right that this is disturbing. Poking holes into the security model in
other to make the user experience more convenient is something companies do
depressingly often. Here's an example that surprised me recently, if you
activate your android phone by signing into a google account it ignores two-
factor authentication and only asks for your password.

[edit, removed a patronizing paragraph]

~~~
loucal
:) I didn't think it would make it this long without someone calling me out on
that but you are 100% correct, rooting is not the right term for what happened
since they did not actually control the account. Some might argue however,
that since they took the liberty to allow everything possible that for all
intents and purposes (except of course changing my password which would do
them no good anyway) they had administrative access to my account.

Also, just to clear up what happened, I was asked to allow separate
permissions for modern warfare 3 (much less lenient ones) and when i did that,
psn also hopped on board and opened up everything (which I clearly did not
authorize). I don't think that facebook has anything to do with this except
for the fact that it is possible. I would hope that this sort of use of their
service makes them unhappy.

I would take personally any app that asked me to allow certain rights and then
piggybacked on every single possible right without notification. Some people
don't care, I think it is an issue to bring to everyones attention. I'm glad
you got amusement, hopefully some others got more.

~~~
bpd1069
I'm not in the mood to rant on about Facebook, but I must say Facebook allows
this to happen. If it didn't it wouldn't.

Facebook gives users the illusion of control and will only extend that
illusion when someone makes a loud fuss (or a lawsuit).

When Zuckerberg states that Facebook has a hacking culture, I think he meant
social engineering.

------
mikeknoop
As TazeTSchnitzel alludes to, HTC and their Sense interface use a similar
"special manufacturer" authentication permission to accomplish this.

EDIT: To clarify, Facebook has made a special deal with HTC (or Sony in the
case of this post) to allow these non-standard browser oAuth flows.

~~~
Eduard
Has anyone tried to sniff on the authentication protocol going on here? I'd
like to know if every oauth consumer can use these hidden permissions.

------
TazeTSchnitzel
Yeah, Facebook has a special authentication mode for devices where browser
OAuth isn't an option.

My Samsung feature phone also gets full permissions when it logs in.

~~~
jrockway
What devices don't have a browser? When I first get an Android device and need
to add my Google account, the browser opens to handle the login flow (which
requires my 2Factor key), and then the phone is authorized. Alternatively, I
can create an application-specific password and use that.

I don't understand why Facebook can't do one of these two things.

~~~
objclxt
There are several applications where devices either don't have a browser or
the browser / input method is unsuitable. I have actually worked on several
projects that use non-standard authentication (with FB's permission), and
although I can't go into too much detail about exactly _what_ the hardware
applications were, they are real and do exist.

~~~
jrockway
Sure, but you can use a Real Computer to authorize the app and feed the
Special Device an app-specific password.

Yeah, that's not convenient, but you didn't get a computer without a working
browser for convenience in using Facebook...

------
Foy
> It is particularly ironic that sony not so long ago lost all psn users'
> personal and financial data to crackers, and now they want to underhandedly
> grab more of it from our facebook accounts.

QFT. You would think that they'd show a little more sensitivity around privacy
issues after their recent security fiasco, instead of looking for more ways to
steal information that they might very well end up losing.

------
sixbrx
Holy crap, that's way beyond what I would have expected. Thanks for reporting
this.

------
gnu8
What do you think Sony pays for that?

------
direllama
So facebook does nothing to restrict apps to the permissions they request?
what's the point then?

------
rapala
Have you contacted Sony or Facebook? It would be interesting to know their
answer.

~~~
loucal
I have not. Last time I complained to sony they sent out an update to all
playstations and when I downloaded it my ps3 clicked off and i got the 'yellow
light of death'... done, over, forever. This new ps3 was a gift from my
girlfriend so I wouldn't want to give sony any reason to fry her $300 purchase
like they did with mine.

I know this is a conspiracy theory. The sony fanboys ripped me apart when I
complained on twitter about it. 'Obviously' it was just coincidence. I'm
thinking at the very least it has to do with that legit version of yellow dog
linux i had on it at one point which they forced me to remove with a more
recent update if i wanted to keep my psn access. I have a feeling i would have
been better off just giving them the boot then and there.. ohh well, SMH

EDIT: just so everyone knows the details it was after the big crack of psn, it
was down for months and every day i turned on my ps3, checked if i could get
on and turn it off. I complained on twitter at some point and when the network
finally came back up I installed the update. It completed 'successfully' and
asked me to allow it to restart my ps3, I said yes, it turned off, yellow
light comes on and the tears begin to fall.

------
hendrix
This is the same company (albeit a different division?) that decided it was OK
to install rootkits on users computers.
[http://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootki...](http://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootkit_scandal)

~~~
daeken
It should really be pointed out that it _wasn't_ the same company. Sony BMG
was never a part of Sony, it was simply partially owned by Sony. It's like
blaming Apple for something that Pixar did because Jobs owned a substantial
portion of both. Doesn't make the act itself any better, but we should stick
to the facts.

~~~
cek
Except that mere-mortals, like myself, had no idea that "Sony" was not "Sony".

If Sony reaps brand benefits from naming a "partially owned company" "Sony
xxx", then Sony should also suffer when one part of the whole does something
damaging to the brand.

Can't have it both ways.

~~~
po
I worked at Sony Music during the time of the rootkit fiasco and I was a bit
surprised by the reaction of the internet. There were many organized boycotts
of Sony Corporate, Sony Playstation, etc… while nobody tried to boycott any
Bertelsmann products (and there are _plenty_ ). The irony is that the
individual in charge of that division of Sony BMG came over in the merger from
Bertelsmann.

While Sony certainly stood to reap the brand benefits, they also reaped almost
all of the negative publicity.

~~~
dspillett
> _While Sony certainly stood to reap the brand benefits, they also reaped
> almost all of the negative publicity._

That sounds like someone failed in their due diligence role, rather than any
reason I should pity Sony.

------
shingen
Comeon, who doesn't trust Sony?

------
ricardobeat
Two years ago we were all handling our social network username + passwords to
every service out there. You just did that with your Playstation, what's new?
Just don't share things with services you don't trust. OAuth doesn't work in
this setting.

