

Major Facebook security hole lets you view your friends’ live chats - bjonathan
http://eu.techcrunch.com/2010/05/05/video-major-facebook-security-hole-lets-you-view-your-friends-live-chats/

======
jacquesm
What a waste to blow this right open. Think of the fun you could have had by
friending all the people that trample our privacy with both feet and to
publish their stuff a year from now or so.

I'm pretty sure we'd see them wise up quickly when presented with a taste of
their own dogfood.

Missed opportunity!

~~~
derwiki
While we're at it, let's hack all the computers of the kernel maintainers
every time there's an exploit. Sorry for the sarcasm, but I really don't think
exploiting software insecurities is the way to get anything productive done.

~~~
invisible
I think you are missing the point on that one. Kernel maintainers are striving
to produce a good product. Those that "trample privacy" are not out to produce
anything except profits. Think about the hypocrisy that would be involved if
they were offended by their chats being published if they push for similar
data (others' data) to be public.

~~~
Locke1689
So vigilante justice is morally defensible now? I'd like to hear about your
complete ethical system.

~~~
invisible
What piece of what I said made it defensible? I was merely explaining away the
concept that it applies to engineers like it does for "privacy tramplers."

------
bruceboughton
This is the kind of feature I would be very nervous of implementing as a
developer (showing some data in the context of another user)... to the point
of pushing back on it.

I imagine it cuts across whole swathes of code, requiring additional checks
about the current user. It would be so easy to leave some of these checks out
or mess them up. You would have to be very careful about validating your
assumptions with this feature.

~~~
MartinCron
This is the kind of cross-cutting feature I've had to implement for clients,
and yes, it's painful.

I built an internal web application for a large and somewhat paranoid company
that required three distinct layers of security. While I'm pretty sure I
implemented them correctly, and could explain pretty well how they worked when
pressed, I think it was just too much for most users to wrap their heads
around the mental model.

In retrospect, I should have pushed back. If I couldn't convince them to with
a simpler model, I should have at least advocated for adding the layers of
security incrementally, both to let the users understand what the model is and
to help the development team understand what the model should be.

------
drewcrawford
"Chat is down for maintenance at this time"

~~~
JeanPierre
At least they seem to patch up things whenever bugs like this are discovered.

~~~
pierrefar
They want the privacy leaks to happen only through their APIs.

~~~
akadien
Is this a criminal violation?

~~~
pierrefar
If you mean on Facebook's part, no. If the user, then maybe.

------
Todd
Where's the "Like" button when I actually want it?!

------
seiha
I just shared this URL on my wall and it didn't go to the feed. ha.

~~~
enterneo
I shared the YT link directly, and it went to the wall.

~~~
seiha
Well, at least this confirms that facebook does have the ability to filter out
blacklisted URLS to the public friend feed.

~~~
pohl
...and a willingness to censor within their walled garden. Maybe they had
already shown that, but now I know.

~~~
axod
Lets have some proof rather than sheepish upvotes hrm?

------
quant18
Are we sure the security hole was limited to merely viewing your friends' live
chats? Sure, the "review how your profile appears to another person" search
box will only give you your friends --- but you can change the "viewas" id
manually.

Edit: I see someone in the Techcrunch comments section posted what he claims
to be Mark Zuckerberg's pending friends requests - Ctrl+F for "Random Jo - May
5th, 2010 at 3:04 pm UTC" ...

~~~
spulec
I can confirm that the security hole was not limited to only friends. I was
able to insert non-friend's IDs for the "viewas" parameter.

------
raganwald
"Never ascribe to malice, that which can be adequately explained by
incompetence."

~~~
ohashi
Can we still be angry at incompetence?

~~~
raganwald
Possibly even more so than at malice. If an organization acts out of malice,
you can change its behaviour by educating it about its best interests or
moving to disincent its malicious behaviour.

But incompetence, especially systemic incompetence, is extraordinarily
difficult to change. Facebook appears to have ADD around user privacy and its
interface. Designs come and go, defaults change capriciously, and security
seems to be an afterthought.

We've seen this movie before, with MSFT in the role of the bumbling centi-
billionaire. Hopefully Facebook will steer a different course.

~~~
DrSprout
Hopefully users will steer a different course.

------
india
Even though chat is blocked, you can still see pending friends request on
anyone's profile. In fact, one can probably use this to add anyone as a
friend. Send a friend request, view your profile with their id and accept the
request you just sent.

~~~
ErrantX
It doesn't let you accept/reject those requests - just shows them (afaik)

~~~
bcl
Looks like they are in the middle of patching that -- I see a lage number but
when clicking on it I only see my own messages.

------
qeorge
It appears he gets access to not only their chat, but friend requests,
notifications, and messages too. When he switches to Sian from Hayley, notice
how all the indicators light up.

Spying on PMs is even worse than live chat, in my opinion.

~~~
robgough
Certainly seems to be _fixed_ for me now though. The interesting question is
how long has this "bug" been present - how long has my account been
compromised for?

~~~
henriklied
I used the `viewas` parameter a couple of days ago after changing some privacy
settings, and this didn't happen.

------
julio_the_squid
Well, that's no problem! Several executives from large companies in the
business of selling my private information have recently informed us all that
privacy is over-rated, doesn't exist anymore and if you even want it to exist,
you're wrong.

