Wednesday, April 30, 2008

Identity 'at risk' on Facebook

Facebook has millions of users throughout the world


Personal details of Facebook users could potentially be stolen, the BBC technology programme Click has found.

The popular social networking site, allows users to add a variety of applications to their profile.

But a malicious program, masquerading as a harmless application, could potentially harvest personal data.

Facebook says users should exercise caution when adding applications. Any programs which violate their terms will be removed, the network said.

Stealing details

Facebook is the darling of the moment, allowing friends to stay in touch, post photos, and share fun little games and quizzes. And it also lets you keep your details private from the rest of the world. Or at least that is the implication.

We have discovered a way to steal the personal details of you and all your Facebook friends without you knowing.

We made up the fictitious profile of Bob Smith. He keeps most of his details on his profile private from non-friends.

While we could not get all details, what we did get, included his name, hometown, school, interests and photograph, would certainly help us to steal someone's identity.

Mining data

So how did we do it?

Using a couple of laptops and our resident coder Pete, we created a special application for Facebookers to add.

One of the reasons Facebook has become so popular so quickly is because of the wealth of applications users can add to their profile pages.

Little games, quizzes, IQ tests, there are thousands of them available. And once you have added an application, your friends are encouraged to add it too.

Anyone with a basic understanding of web programming can write an application.

We wrote an evil data mining application called Miner, which, if we wanted, could masquerade as a game, a test, or a joke of the day. It took us less than three hours.

But whatever it looks like, in the background, it is collecting personal details, and those of the users' friends, and e-mailing them out of Facebook, to our inbox.

When you add an application, unless you say otherwise, it is given access to most of the information in your profile. That includes information you have on your friends even if they think they have tight security settings.

Did you know that you were responsible for other people's security?

Security

Now, many applications do need access to your details, in order to work properly.

We do not know of any specific application which abuses user information, apart from ours.

But the ease with we created our application has many people worried. If it is being used you would not even have to use the application we created to become a victim, you would just have to be a friend of someone who has.

Because these applications run on third-party servers, not run by Facebook - it is difficult for the company to check what is going on, whether anything has changed, and how long applications store data for and what they do with it.

Although Facebook's terms and conditions contain a warning that this could in theory happen, and offer the option to stop an application from accessing your details, many games and quizzes would not work if this option is engaged.

In fact, the only way we can see of completely protecting yourself from applications skimming information about you and your friends is to erase all the applications on your profile and opt to not use any applications in the future.

So has Facebook done enough to protect its users from identity theft?

Paul Docherty is the Technical Director of Portcullis Security, which advises several governments on IT security matters including British government.

He told us he believed that Facebook's terms and conditions stated on the site meant that Facebook had legally covered itself from any liability.

But he added: "Morally, Facebook has acted naively."

He said: "Facebook needs to change its default settings and tighten up security."

He also believes it would be difficult to secure the current system because so many third party applications are now in circulation.

Removal team

We put these concerns to Facebook.

It told us that it has an entire investigations team watching the site, and removing applications that violate its terms of use which would include our Miner application.

It also advises users to use the same precautions while downloading software from Facebook applications that they use when downloading software on their desktop.

Now, all this comes in the month that competitor MySpace opened up its application platform. However, it handles them differently - here all applications run on its own servers so it can see what they are up to.

MySpace also manually checks all submissions and rechecks them if authors wish to change the code. We were unable to create a similar threat to users' security using the MySpace system.

It certainly seems that Facebook's standard security settings are not sufficient to protect your personal information, and those of your friends.

Source: http://news.bbc.co.uk/2/hi/programmes/click_online/7375772.stm

No comments: