
Facebook bans KDE application, deletes user photos - Garbage
http://www.networkworld.com/community/node/75598
======
saurik
From the error, it actually sounds like the application had an API key
distributed inside of it... which means that anyone, anywhere, could pretend
to be the application.. and could use its credentials to upload anything they
want.

Yeah, right here:

    
    
        fbtalker.cpp:    m_apiKey     = "bf430ad869b88aba5c0c17ea6707022b";
        fbtalker.cpp:    m_secretKey  = "0434307e70dd12c414cc6d0928f132d8";
    

To be honest, as much as I hate Facebook's developer program, sharing an API
key in an end-user downloaded application (open source or not: doesn't matter)
seems downright inane, and I can easily see circumstances where it looked like
the application in general was doing something downright forbidden (maybe
uploading porn), and the entire application got banned and all of its content
got retroactively pulled.

In fact, I'm a little rusty on this whole Facebook API thing, but I could
easily see situations where the application was authorized to access peoples'
photo galleries, then allowing anyone with those API keys to upload photos /as
other people/. This likely went unnoticed for a while, but eventually someone
figured it out, uploaded porn to /someone else's account/, and then the only
feasible way to fix the situation (assuming a person even bothered looking
into it, and I wouldn't blame Facebook much if no one did) was to just pull
all photos that had been uploaded.

Seriously: this is not a situation of "do not use Facebook": this is a
situation of "do not use insecure applications".

~~~
fleitz
How exactly does one solve this issue?

Facebook's auth/app system makes a whole lot of sense for web sites but zero
sense for desktop/mobile apps.

The app is not insecure, how does exposing two keys endanger ANY user data?

iPhone apps have the EXACT same issue, as this application, give me an IPA
file and I'll give you the app's keys. Look at Facebook's official docs and
they recommend embedding the keys into the app in this manner.

~~~
teej
They have a special desktop API that solves this exact issue.

EDIT: they used to, at least. They now want devs to use the web OAuth flow by
adding an embedded web view to your desktop app.
<http://developers.facebook.com/docs/authentication/>

~~~
fleitz
How does using the OAuth flow on a desktop app solve any of these issues?

If you have the app binary, you have the secret key. It's simply a matter of
attaching a debugger and waiting for the URL handler to be called. Even the
trick auth flow on iphone where it opens the Facebook app has the same
vulnerability.

~~~
nl
_If you have the app binary, you have the secret key._

No, you have the _access token_. There's a big difference.

 _It's simply a matter of attaching a debugger and waiting for the URL handler
to be called. Even the trick auth flow on iphone where it opens the Facebook
app has the same vulnerability._

Yep, you can do that. But then all you know how to authorize the app to act on
your (the logged on user) behalf. You can write another application that
pretends to be that app, but since it acts on your behalf I'm not sure that's
a big risk.

In the case of this KDE program, not only do you know how to make the app act
on your behalf - but (as the OP noted) - it is probably possible to make the
application act on behalf of _any other user that has authorized this
application id_. That's a pretty bad problem.

It sucks for the legitimate users who uploaded the pics using it, but who
knows what else got uploaded to other people's accounts using this program? I
suspect that's the reason why Facebook didn't just bad the app, but had to
delete pics as well.

------
wladimir
Banning the application could be justifiable (don't know the details), but
removing everyones user photos just because they were uploaded with a certain
tool, wow, that's messed up. I simply don't have words for it.

~~~
nl
It's likely that the tool (or - more precisely - the app id & secret) let
people upload pictures into other people's accounts. Facebook couldn't let
that stand.

~~~
r00fus
Just deleting photos without a proper explanation of why you did so leaves a
very bad taste in the mouth.

I can see why people would be bitter... FB just deleted their photos because
their upload method was "wrong".

If they said there was no possible way to examine the situation, or that they
would restore your photos if you waded through an indemnification click-
through, then OK, I can understand.

But just deleting the photos with no warning or even notification?

------
makmanalp
While putting an API key like that inside code is pretty silly, and the ban
makes sense, I don't understand why _our content_ had to disappear along with
the app. All the photos were in normal facebook photo albums. Bad customer
service play.

~~~
dorian-graph
They may have thought something like: Someone could have taken advantage of
the API key and used it to upload content for not-so-good reasons and rather
then checking all content uploaded using that key, they removed it all.

------
Xuzz
I'm going to assume this was a mistake. However, I have been seeing quite a
few "mistakes" similar to this from Facebook lately. They have a legitimate
problem with application spam, but if they are going to try and fight that by
banning applications, they better be _damn_ sure they are getting the right
ones. But, they don't seem to be doing a particularly good job of that, at
least from what I've seen.

However: maybe they are doing a great job, and it's just the few mistakes we
hear about. Or, even — maybe there's a legitimate reason for banning this
application (although they could be better at communicating that reason, if
there is one). But, at this point, even just the cases I've heard about here
on HN don't inspire me (or, it seems, many others) to choose Facebook as the
platform to develop upon. And that might be a bigger issue, even more than
application spam.

Edit: after reading saurik's post, this seems like a legitimate situation for
them to pull it. However, the point still stands: they need to communicate
this better to both KDE and the users of the application.

I _like_ Facebook. Just don't like it when stuff like this happens.

~~~
Blunt
"they better be damn sure they are getting the right ones." No, see, the
problem is you're not in control of FB. They are still a private company and
they get to do what ever they want, obviously within the confines of US Laws
and, obviously, to the benefit or detriment of their company. Life is simple:
If you don't agree with their practices, then you have the power to chose to
stop using their services. Why is that so hard for people to understand?

~~~
seabee
People expect others not to jerk them around. They will bitch about how
they've been jerked around long before they'll cut the jerk from their life.
Hopefully, because said jerk will change their behaviour, in a perfect world.

There is also a lot of inertia created from using Facebook for a little while.
You can't just pretend that inertia doesn't exist.

------
dendory
It's simple, you get your own site, which you pay for if you have to, then add
one of the countless plugins that automatically share you content to Twitter,
Facebook, etc.

If all you do is upload your primary content directly to Facebook and nowhere
else, you're just asking for trouble.

~~~
rmc
_If all you do is upload your primary content directly to Facebook and nowhere
else, you're just asking for trouble._

That applies to 99% of the Facebook audience.

------
doogle88
I seem to remember Mark Zuckerberg using KDE in The Social Network. Seems
ironic.

~~~
troels
Nah, that was an actor.

------
nsomaru
well, there goes three of my albums. I really hope this gets resolved.

