66 comments

[ 3.0 ms ] story [ 123 ms ] thread
"Never ascribe to malice, that which can be adequately explained by incompetence."
Can we still be angry at incompetence?
Possibly even more so than at malice. If an organization acts out of malice, you can change its behaviour by educating it about its best interests or moving to disincent its malicious behaviour.

But incompetence, especially systemic incompetence, is extraordinarily difficult to change. Facebook appears to have ADD around user privacy and its interface. Designs come and go, defaults change capriciously, and security seems to be an afterthought.

We've seen this movie before, with MSFT in the role of the bumbling centi-billionaire. Hopefully Facebook will steer a different course.

Hopefully users will steer a different course.
Insightful,thanks. Helps me understand some situations I have been in.
Not really. Everyone on this site has worked in software development at one point, right? So everyone here has written a bug before. Its reasonable to expect every piece of software (short of the stuff on the space shuttle) to have bugs. It simply isn't feasible for most software companies to find and fix all of the problems with their products.

Facebook, like all other software, is bound to have bugs. If you don't want your personal information/conversations to be exposed by a potential bug I'd suggest not using the service.

Well, a lot of this is the flip side of FaceBook's "changes are pushed to the live site as soon as they're checked in" policy. That lets them innovate quickly, but also means that whenever anyone screws up, it's immediately visible in a very public way. Other companies have release processes and QA procedures to stop this.
On the whole, I think the rapid innovation model tends to make things safer overall. Tiny changes can be rolled back more easily, or patched more easily.

Release processes and rigorous QA procedures seem more appropriate for client-deployed software like operating systems than for centralized web applications.

Every single line of code is peer reviewed by at least 2 people before it can be pushed.
But tested by nobody?

What happens to the reviewers that let this thing slip through, btw?

From chatting with a few Facebook engineers, I'm pretty sure it's not quick to get checked in code -> production (unless it's super urgent)
so you're proposing that if someone doesn't like software bugs that they should stop using software?

that would be mighty difficult, as software and their potential bugs are present in most every facet of modern life.

Thank insert-your-favorite-deity-here i don't pick my financial providers that way.
"Chat is down for maintenance at this time"
At least they seem to patch up things whenever bugs like this are discovered.
They want the privacy leaks to happen only through their APIs.
Is this a criminal violation?
If you mean on Facebook's part, no. If the user, then maybe.
Yeah, they'll deal with that fast but we've had a complaint/bug submitted for 3 weeks now and they haven't done a thing. I understand they must get a ton of these but as paying customers who rely on Facebook for key promotion you'd think they'd pay attention.

Sorry, just ranting a bit. It's been frustrating dealing with a company that doesn't have a telephone helpline, even for paying customers. (We've spent thousands of dollars on Facebook ads, etc.)

Wouldn't it be a lot less disruptive just to disable that privacy feature that people use very rarely rather than disabling chat, which people use all the time? Unless, of course, they're afraid that this isn't the only security hole allowing you to see your friends' chats.
They disabled the button on the privacy setting page, but as of a few moments ago, this url still worked: http://www.facebook.com/[your short url]?viewas=[id]

Edit: The button from the privacy settings page is working again.

In general, though, cutting chat while trying to fix this is probably a Good Idea. Less room for bad things to happen assuming you can turn chat off more quickly than you can fix the behavior.

(comment deleted)
Chat is back up now.
"Until we figure out the best way to market this 'feature' to our advertisers"
Even though chat is blocked, you can still see pending friends request on anyone's profile. In fact, one can probably use this to add anyone as a friend. Send a friend request, view your profile with their id and accept the request you just sent.
It doesn't let you accept/reject those requests - just shows them (afaik)
Looks like they are in the middle of patching that -- I see a lage number but when clicking on it I only see my own messages.
Are we sure the security hole was limited to merely viewing your friends' live chats? Sure, the "review how your profile appears to another person" search box will only give you your friends --- but you can change the "viewas" id manually.

Edit: I see someone in the Techcrunch comments section posted what he claims to be Mark Zuckerberg's pending friends requests - Ctrl+F for "Random Jo - May 5th, 2010 at 3:04 pm UTC" ...

I can confirm that the security hole was not limited to only friends. I was able to insert non-friend's IDs for the "viewas" parameter.
I just shared this URL on my wall and it didn't go to the feed. ha.
I shared the YT link directly, and it went to the wall.
Well, at least this confirms that facebook does have the ability to filter out blacklisted URLS to the public friend feed.
...and a willingness to censor within their walled garden. Maybe they had already shown that, but now I know.
Lets have some proof rather than sheepish upvotes hrm?
Some time ago I was unable to send a link via private messages to a friend, because the link was flagged as abusive/offensive. I didn't see anything wrong with the link, neither did my friend (once I got the link to him via email).
It could just be that the public friend feed only shows a small subset of all of your updates. Might have nothing to do with a blacklist.
I shared the link on my wall and it works just fine, appears on my feed and my wife's feed, at least.
It appears he gets access to not only their chat, but friend requests, notifications, and messages too. When he switches to Sian from Hayley, notice how all the indicators light up.

Spying on PMs is even worse than live chat, in my opinion.

Certainly seems to be fixed for me now though. The interesting question is how long has this "bug" been present - how long has my account been compromised for?
I used the `viewas` parameter a couple of days ago after changing some privacy settings, and this didn't happen.
(comment deleted)
This is the kind of feature I would be very nervous of implementing as a developer (showing some data in the context of another user)... to the point of pushing back on it.

I imagine it cuts across whole swathes of code, requiring additional checks about the current user. It would be so easy to leave some of these checks out or mess them up. You would have to be very careful about validating your assumptions with this feature.

This is the kind of cross-cutting feature I've had to implement for clients, and yes, it's painful.

I built an internal web application for a large and somewhat paranoid company that required three distinct layers of security. While I'm pretty sure I implemented them correctly, and could explain pretty well how they worked when pressed, I think it was just too much for most users to wrap their heads around the mental model.

In retrospect, I should have pushed back. If I couldn't convince them to with a simpler model, I should have at least advocated for adding the layers of security incrementally, both to let the users understand what the model is and to help the development team understand what the model should be.

Well, that's no problem! Several executives from large companies in the business of selling my private information have recently informed us all that privacy is over-rated, doesn't exist anymore and if you even want it to exist, you're wrong.
What a waste to blow this right open. Think of the fun you could have had by friending all the people that trample our privacy with both feet and to publish their stuff a year from now or so.

I'm pretty sure we'd see them wise up quickly when presented with a taste of their own dogfood.

Missed opportunity!

While we're at it, let's hack all the computers of the kernel maintainers every time there's an exploit. Sorry for the sarcasm, but I really don't think exploiting software insecurities is the way to get anything productive done.
I think you are missing the point on that one. Kernel maintainers are striving to produce a good product. Those that "trample privacy" are not out to produce anything except profits. Think about the hypocrisy that would be involved if they were offended by their chats being published if they push for similar data (others' data) to be public.
Especially if those chats documented their attitude towards their users.
So vigilante justice is morally defensible now? I'd like to hear about your complete ethical system.
What piece of what I said made it defensible? I was merely explaining away the concept that it applies to engineers like it does for "privacy tramplers."
That would be a valid comparison if distro maintainers were in the habit of forcing updates of opt-out data-compromising features to your OS.
I was thinking the same thing, but was hesitant to post my thoughts as I was sure someone would think my intentions would be cruel. Also, why not allow facebook to look horrible due to their own mistakes? Imagine how bad they would have looked if this wasn't brought to their attention so fast.
I hope you're just joking, as I think you are.

Obviously that's wrong. And privacy should be respected, bug or no bug.

> I hope you're just joking, as I think you are.

Think again.

If it would have been me discovering this (not that I'm nearly smart enough to do so, but hypothetically speaking) I would have definitely used it against FB management.

They run roughshod over the rights of their users every chance they get, they really need a wake-up call about why privacy matters and that they ought to be more responsible when it comes to things like this.

And that would have made you a criminal.
"Criminal" is a term that only applies if you are caught.
No, "convicted criminal" is a term that only applies if you are caught.
No, "convicted criminal" is a term that only applies if you are caught, prosecuted, law enforcement carries out the investigation properly, you're not lucky with the pick of the judge, they have better lawyers than you do, and you don't accept a plea bargain.
Taking the plea bargain counts as a conviction.
That's true. I might add that it's also possible to strike a deal where the whole thing is stricken from your record after x years, but we're taking this a bit too far at that point!
That would have potentially made me a criminal. But sometimes you need to stand up for what you think is right even if there are consequences.
Where's the "Like" button when I actually want it?!
fb chat is slow - I usually log in and then ask my friends to move over to YM or Skype - not a lot of chat logs for me ...