
Facebook blames Zuckerberg embarrassment on API 'bug' - taylorbuley
http://www.networkworld.com/community/blog/facebook-blames-zuckerberg-embarrassment-api-
======
mvandemar
Firesheep, which allows people worldwide to steal other people's Facebook
passwords over public wifi, comes out in October and they _still_ don't
redirect to https login by default. Zukerburg's fan page gets hacked with a
message pertaining to Facebook's investors and they close the loophole that
allowed it to happen in 1 day. Of course.

~~~
tptacek
It's not a "loophole"; it's a critical vulnerability in their API server. It
doesn't just affect Zuckerberg.

~~~
kirbman89
I think the point is that FB did nothing until it hit close to home and was
embarrassing to their brand.

------
veb
Doesn't Facebook have a history of telling us one thing, but actually meaning
something else?

Wonder what _really_ happened? Must've been _much_ more embarrassing for them
to admit they had an "API Bug".

(I haven't heard of any other accounts being borked via API calls, and
developers mess with these thousands of times a day, you're telling me
_nobody_ picked up on this...? Except the dude who did a harmless prank on
Zuckerbergs page...)

~~~
indigoviolet
A bandersnatch ate the anti-hacking chip we'd installed.

~~~
wallflower
<http://www.jabberwocky.com/carroll/jabber/jabberwocky.html>

Fun poem to memorize

------
jdp23
Has Facebook or anybody else said anything about what the underlying bug was?
Missing permission check, incorrect logic, problem in error condition ... ?
Their security model is so complex that I'd expect the code to be a nightmare
... and they introduce functionality at such a fast pace

------
mjuhl24
"...an API "bug" that allowed unauthorized persons to post not only on his
page but those of an undisclosed number of other users." [read: a _lot_ of
other users]

~~~
nbpoole
That sentence was written by the author of the article: it doesn't appear to
be based on what people actually said. The quote from Facebook is "A bug
enabled status postings by unauthorized people on a handful of public pages.
The bug has been fixed."

Of course, we have to keep in mind that Facebook has an incentive to downplay
the severity and the author has an incentive to hype the severity; the truth
is probably somewhere in the middle. There's no reason to believe that there
was mass-abuse of this issue unless someone has evidence to the contrary. At
the same time, Zuckerberg's wasn't the only high profile page to have a
strange status posted on it recently.

~~~
mjuhl24
There is no evidence of mass abuse, but that doesn't mean there wasn't the
potential for it. If a security hole affected one fan page, it seems likely
that it affected every fan page.

