May 5, 2010
The primary social networking web site, FaceBook , is mushrooming
into an estimated 400 million users world-wide* and also has
increasing problems in regard to personal security, identity theft,
malware, and viruses. Never before has such a wealth of personal
information been available for someone to share about themselves,
alongside such an opportunity for computer crime.
In the interconnected world of the twenty-first century, we
communicate in new and ever changing ways. We have come a long way in
networking since the first telephone directory was published with 391
entries*, to an estimated 1.8 trillion Internet users*. But not only
is the Internet changing the way we communicate, it is changing our
perception of crime and privacy.
Privacy Within FaceBook
Security risks and identity theft is affecting a large percentage of
users and they must be educated to protect the personal information
not only for themselves, but all who they network with. One very
recent situation targeted a FaceBook user with a specially crafted
attack (Perlow). Not only was the user’s account compromised by the
attack, but every one of over 1,000 of the users’ contacts were as
well. The users name was defaced and came to find out that he was
unknowingly spamming hundreds to thousands of e-mails. His computer
was also infected with malware from the attack.
Reasonable solutions need to be found to help our population combat
this growing problem. It is viewed as a large enough problem that
four US Senators have urged FaceBook to allow better information
controls for users (Khun). The naked truth is that changes in the
site must happen in order to preserve our privacy and technological
security into and through the life time of FaceBook. We will be
looking at the situation from the view of the users, and the
which is barely a primer. It states its basic policy in terms which
seem innocent enough without discussing the pros and cons of the
policy. It also states that if you wish not to share certain
information, that it is easy to change your settings to do so.
we find that privacy is no longer a topic of much importance to
FaceBook. In a few years FaceBook has grown from a college network of
students as users, into a wealth of computers users. All whose
knowledge of security varies from expert to no experience at all.
In the short year-long time frame I have personally used FaceBook, I
have seen the terms changed a few times. Each subsequent change
limiting more and more control over my personal information. To
maintain most of my personal information, I am forced to remove it or
find that it has been shared with the entire world. Even removal of
content has been reported as insufficient (Whittaker), as one MIT
research study shows.
Several websites give useful information as to how the privacy
settings can be used effectively. One such site at Sophos (Sophos)
suggests settings to control much of what you share on FaceBook, but
FaceBook takes the elimination of privacy one step further.
Page and Profile Linking
A new feature connects your profile information with suggested
pages. For instance, your hometown information would be linked to the
matching page, or your favorite band would automatically be linked to
its fan page. On the surface it seems harmless enough, however, for
most of us it raises red flags.
The first red flag was a confirmation on FaceBook, asking to
“Opt-Out” of this feature (Opsahl). Opting out keeps your
information from being automatically linked, and opting in is
something that isn’t explained well enough. FaceBook explained in no
certain terms that opting in would share your information with every
page you are automatically linked to, but also the users which are
linked to those pages as well. We could liken it to posting your
profile on a bulletin board at Grand Central Station. We also might
hint that these links make virus and worm-like attacks definitely
With the introduction of an internet browser enhancement, FaceBook
users can share what they surf on the web, which the Electronic
Frontier Foundation exclaims is propelling FaceBook into huge profits
from targeted advertising (Chapman). While this may be true, target
marketing isn’t anything new. Internet super giant Google has been
collecting information like this to increase revenue for years, but
FaceBook users have expressed distaste for this change. The feeling
of a “bait and switch” is omnipresent, as it seems the site’s
agenda has evolved over the years. Overgrown from a small number of
users at a college into a mass of social users interacting sharing
their lives and and playing games, it has grown faster than its
The sum of all ports of FaceBook is seemingly elegant. However in a
recent blog post, Jason Perlow rants in frustration about his
FaceBook account being hacked. The basic security lesson we get from
the direct and indirect message are simple: Third-party applications
must be secured (Perlow).
Third-party applications allow for all sorts of interesting
interactions on FaceBook, but also allow for the widest area of
exploitations. A recently published Proof-of-Concept attack
(Inj3ct0r) highlights a third-party application SQL injection
vulnerability. [SQL injection is a common web based attack technique
to manipulate a database into revealing its data to the attacker.]
The explicit details of the attacker’s method was omitted to prevent
frivolous duplication, but can be surmised as follows.
Recent problems with a popular game application “FarmVille”
caused disruptions to thousands of users. The attack injected the
favored game with an internal frame (IFRAME) delivering outside
scripts to be executed on its victims computers. It also created a
post on the victims profile page inviting friends to claim a “prize”
in the game, which, when clicked on, allowed execution on the
friends machine continuing to no end. Thousands of profiles were
harvested for personal information.
Such attacks are currently common, and being patched as developers
become aware. But this does not prevent attackers from creating
their own applications to carry out their code, since the FaceBook
Markup Language is available for public consumption.
Another third-party application, “TV Show Chat,” accepted
mis-formed URLs and displayed specific SQL database errors – which
is a definite mistake in web administration. The SQL errors let us
determine the databases size, what information is stored where, and
how to evoke specific information (Inj3ct0r). That information is
shared and/or linked through the users profile: name, contact
information, friends names and information, interests, access to post
on the profile page, and so forth. We determine that what seems like
a small hole in one third party application is not so minor, and to
an attacker it is like a screen door at a bank. At the last time we
checked, there were over 70,000 third-party applications available on
As we’ve seen, FaceBook’s Privacy Policies are a complex web of
issues which demand attention. There will be problems until FaceBook
allows easier controls for users to manage their personal
information, and examines their third-party application privileges.
I recommend first that all users visit the Sophos web site and
follow the suggested settings to enhance the security of their
profile. Also to limit the use of third party applications, and
ignore profile posts and requests regarding the applications.
Furthermore I suggest for FaceBook to redesign their privacy
settings allowing novices to decide what they would like to share,
and with whom. FaceBook will also need to audit their third party
applications for security flaws, mainly concerning those that allow
for internal frames, allowing input that results in SQL errors, and
disallow applications from posting to profiles. However rigorous this
may be, it is the only course of action to take in order to prevent
further downward spiraling of security issues into the future.
Chapman, Glenn. “Privacy Vs Profit at FaceBook.” Brisbane
Times. Fairfax Digital, 2 May
5 May, 2010.
FaceBook. “FaceBook’s Privacy
Policy.” FaceBook, 22 April, 2010. Web
4 May, 2010.
Inj3ct0r. “FaceBook’s servers was
hacked by Inj3ct0r team.” Hack0wn, 8 April 2010. Web
5 May 2010.
Khun, Eric. “Senators Urge
FaceBook to Change Privacy Settings.” CNN. Turner Broadcasting
Systems, Inc, 27 April, 2010. Web
6 May, 2010.
Opsahl, Kurt. “FaceBook’s Eroding
April, 2010. Web
5 May, 2010.
Perlow, Jason. “Contemplating FaceBook Hara-Kiri.” ZDNet.
CBS Interactive, 3 May 2010. Web
4 May 2010.
Sophos. “Sophos’s recommendations
for Facebook settings.” Sophos, N.d. Web
4 May, 2010.
Whittaker, Zach. “FaceBook does
not erase user-deleted content.” ZDNet. CBS Interactive, 28 April,
6 May, 2010.