More on Facebook security

This week I’ve come across two more articles about Facebook’s poor security/privacy.

The first by Ian Glazer on the Burton Group Identity blog notes that apps can get access to all your details even if your privacy settings are set to prevent this… Whilst you can prevent a third-party app from accessing your details directly, if you allow your friends to read your profile, when they install the app it inherits the permissions of your friend relationship, rather than your own app settings, meaning the app can suddenly access your whole profile.

The second by the Cambridge University Security Research Lab relates to ads served either through Facebook, or within apps using the Facebook platform, and how these can access your personal data and the pictures you’ve stored. It ends with a worrying note – ‘The platform API remains fundamentally broken and gives users no way to prevent applications from accessing their photos.’


It’s rare that IT security and aesthetics come even close to being related, however I stumbled across something on the Information Aesthetics blog this week which peaked my interest.

I’ve come across some debate recently around passwords. It seems to be becoming common knowledge that password security generally isn’t good enough these days, and 2FA or other strong methods should be used where possible. However, that’s an issue for another day – passwords clearly are in the majority when it comes to the average user’s experience of IT security.

Some sources suggest that password rotation is a bad idea, and others propose that the asterisks, or similar characters that obscure your password are nigh-on a waste of time – notably security expert Bruce Schneier. Masking passwords mostly serves to annoy users continually to avoid the virtually non-existant threat of someone reading the password over your shoulder.

It’s a potential solution to this password masking problem that I came across this week – a mechanism that displays a colour key next to the password entry box called Chroma-Key.

A hash of the text you’re entering for your password is generated in real-time. Each small change generates a significantly different hash, and it means you can see at a glance that you’re entering the correct password, hopefully avoiding your account getting locked through typos, but without revealing the exact password.

You can find out more about it on the author’s site, and the original article on Infosthetics.

Facebook Security

Despite my better judgment, I’m still using Facebook. All of my friends and acquaintances use it, increasingly as an IM application, and not just for posting inane status updates. Indeed Adium, my IM client of choice, now supports Facebook chat, so I’m spending more time rather than less.

That being said, the thing I really don’t like about Facebook is the crappy applications and quizzes that people seem to expect you to join in with. I don’t care that you’ve thrown a sheep at me, or the Spice Girl you’re most like is ‘Baby Spice’… But more worrying is that these apps are quite often vectors for spam and people are entirely oblivious.

The security lab at Cambridge wrote a good article highlighting how bad this is, clearly spending a lot more time than my totally unscientific analysis of asking a few people I know, and experience of using the site. They noted that it’s relatively easy for an app to get published on the Facebook platform that can steal the user’s Facebook session, then use this to query Facebook’s servers impersonating the user and mine all of their personal data and that of their friends.

Facebook don’t allow you to do this under their terms of use, but obviously there are so many apps being published that some slip through the net. More than this, they’re not inclined to check particularly actively as long as users don’t shout too much – these apps have nicely targeted ads which make them and Facebook money. But of course the ads are targeted – the app stole all your data, so you can be pretty sure they can pick an accurate ad. None of this is new news, there have been a variety of reports in the technology and mainstream press highlighting how identity theft and other privacy concerns abound on Facebook.

The thing that never ceases to amaze me, however, is the fact that users continue to complete these inane quizzes, download free apps that allow them to throw sheep at their friends and don’t stop to wonder why anyone would go to the trouble of building these apps for free. It’s all well and good that Facebook asked me my date of birth when logging in from an ‘unusual location’ (I was travelling for work), but this is of little security benefit when it’s trivial to steal this information during my use of the site from the safety of my own house.

I’m unlikely to stop using Facebook given the amount of friends and work colleagues who use it, but please don’t be offended if I ignore your request for a pillow fight, zombie chase, gang war, or the chance to find out which South Park character you are.

on identity, privacy, the environment, and other assorted rants.