Hacker News new | past | comments | ask | show | jobs | submit login
Rally HN: help build an independent Privacy Scanner for Facebook
120 points by mjpizz on May 14, 2010 | hide | past | favorite | 28 comments
Right now I have some code started for a bookmarklet that runs on Facebook and scans some of the most common privacy holes that are enabled by default. It shows a summary and has "one-click fixes" to lock down those privacy settings. Check it out here:

I started this project last weekend on my flight back from Michigan to the Bay, and I just don't have enough free time to really make it solid. The bookmarklet needs better cross-browser testing (I works well in Safari 4, and mostly okay in FF3), and there are plenty of important privacy checks that it still needs to do (wall-post privacy settings, photo privacy settings, etc). A few of the checks can be wonky at times, especially the ones that scan the privacy dropdowns.

So...join in! If you want to contribute, just fork it on GitHub:

...I'll check pull requests periodically and redeploy the latest patches. The project is contained in an AppEngine app since that was the easiest thing to throw up on a Google domain this morning.

I like it, and works as advertised. Don't be surprised if you get a C&D if this becomes popular though, Facebook hasn't taken nicely to Javascript hacks/scraping in the past (http://www.chocolatesoftware.com/firefox/).

yea, I'm considering changing some of the "one click" fixes and just directing the users to the relevant privacy settings. The main goal is to be able to give this to my less-technical friends and family, so they can fix up their privacy settings without getting confused by all the deep navigation.

That's an excellent goal. How sensitive are the Javascript checks? You can also pull in some privacy settings (around default settings for posting and maybe more) via their API. Though in it's current state it's pretty awesome.

thanks! The checks aren't too sensitive, but the one-click fixes can be flaky. FF3 periodically has issues, haven't had time to delve into it yet. I'm hoping some other Javascript pros take a look at the code.

I make no comment on the purpose of this tool, but I strongly recommend serving your Javascript, if not the whole site, under httpS. If you are going to tell everyone to run arbitrary Javascript in the context of their Facebook sessions, at least take precautions that this code will not be modified in-flight.

I considered SSL. However, Facebook already serves all of their own pages over plain HTTP, so serving the bookmarklet on HTTPS won't add any security AFAIK.

Please reconsider. Also reconsider serving data from olark.com and, generally, try to reduce your attack surface. There are too many "javascript viruses" running around already.

facebook serves its JS over http already...as does most of the internet. An attacker would just change that js if they had that type of access.

most of the internet doesn't use HTTPS, they use plain HTTP. HTTPS prevents man in the middle attacks...

One thing that might shortly be of tremendous use: some sort of application that scrapes information off of Facebook, namely one's local friend graph. (And ToS be damned! That's my information!)

A greasemonkey script would do, but a standalone Windows app would be much better. (OSX and Linux as well.) Something with a very simple UI, with a login screen and one button, which would yield an XML or JSON file. Preferably, it would simulate the browsing speed of a real user, with randomized parameters, so it would be undetectable. If it ran in the background, it would still be relatively painless.

Why this would be so useful: I'm envisioning a counterpart program that can upload such information into something like Diaspora. I'm not advocating that Diaspora create such an app. Someone else should do it. Someone who might like to develop a rep as an outlaw. (A beneficial one, however.)

It should be incredibly simple to build with the graph API if you are interested. Here is your friends:


docs here:


Facebook isn't as tight with your data as you would expect ;)

Aren't you also imposing your "morality" about sharing on users who use this? Would you be comfortable if Facebook were to do something like this, with [good] pointing to "sharing something with everyone"?

I tried clicking your bookmarklet when logged into your site (http://www.reclaimprivacy.org)-- that is to say, I ignored your directions on purpose, just to see what would happen. It wedged up my firefox and I had to kill it off.

So, maybe some error checking there? Mozilla/5.0 (X11; U; SunOS i86pc; en-US; rv:1.9.2) Gecko/20100329 Firefox/3.6

When logged into facebook, it worked fine.

It cautions me when I have the setting that "Everyone" can friend request me ... maybe be lenient on that one?

I'm not. I am now receiving friend requests ala MySpace from completely random people with 3,000 friends...

If they want to be friends, they need to message me or know one of my other friends (most of my friends are friends with other friends anyways).

I concur - the "caution" is good, as it forces people to re-think their settings. I decided not to change the items I was cautioned on, but it was beneficial to see them called out, allowing me to make a conscious choice.

For me, scanning personal information and scanning friends, tags, connections information ... both seem to take a long time (now been ~20 minutes).

I'm running Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv: Gecko/20100316 Firefox/3.6.2

This is very nice. I thought my profile was rather private but some information was fully public.

Tested successfully in Midori.

Once you give the "ok, it's polished enough", I'll share it with my friends.

"scanning friends, tags, and connections information..." and "scanning personal information..." did not finish for me on Firefox 3.6.3 OSX.

Very nice! Works just fine in Chrome on OSX. Found a couple of settings that I would swear I had previously set to just friends.

This is time well spent mjpizz. Some of the one-click fixes dont do anything. But awesome :)

Two of the scans didn't complete for me. Anyone else?

nice work... Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/2010033100 Iceweasel/3.0.6 (Debian-3.0.6-3)

Ran it on chrome and finished successfully.



It never changes from this...

Oh, it helps if you mention that it has to be clicked and executed while actually on facebook.com. You should alter the bookmarklet to reflect that.

Also, please make it easy to copy/paste the bookmarklet. I do not have a bookmark bar and don't enjoy digging through the source of the page to get the necessary bit of javascript.

For those in a similar situation: <removed>

Also, your src attribute is missing a closing apostrophe, unless HN scrubbed it earlier. Never mind, it is HN's fault. Sorry folks, you have to go source-diving yourself as well.

Excellent!!! Thank you! Used and recommended to friends and colleagues.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact