28 comments

[ 3.0 ms ] story [ 71.1 ms ] thread
This is precisely the scary factor of FB's open graph. While Facebook may be able to keep my data mostly secure (read: aside for their bugs of late), how can I know for sure their partners will?

When money is the primary driver behind who gets these partnerships (like yelps special one, anybody can use open graph) you have a fundamental and telling issue, privacy tends to go out the window when monetization of data starts to happen.

I don't think facebook needs any further help from Yelp to put 'user data at risk'.

The last couple of weeks have been pivotal in the history of social media, I've never seen so many main stream media articles about the security and privacy issues associated with a single company.

Which is awesome, I love that more attention is being put to security and privacy practices of companies online. Hopefully it'll be the catalyst for a lot of positive changes in the near future.
While I agree with you, the vast majority of users on Facebook are more concerned who won Dancing With the Stars than about any information exposed about themselves online. Sadly, those are probably the same people the click on ads. For Facebook, and companies like them, it's win-win.
Yeah, you're right, unfortunately, but it's a step in the right direction.
It is absurd that a company (Facebook) would put itself in a position where another company's negligence/mistake/whatever could possibly put its users' data at risk.
True. Unsettling.

It seems Facebook is on an absurdity run. The last two weeks have been full of absurd bugs, absurd ideas. </rant>

One thing is for sure - FB is not having a good week.
I wonder if they care. The amount of damage control Facebook has done in the wake of this has been pretty passive; as if they're saying "We hear you, but we're going to stay the course".
From FB point of view they have 2 options.

1. Go back to the 2007 FB and keep most people happy, and lose the ability to sell private data.

2. Lose 10-25% of users and monetize everyone else's data.

"... lose the ability to sell private data."

Facebook does not sell private data. It never has. In fact, if Facebook's evil plan were to someday start selling private data, encouraging users to make their accounts more open would make this plan less effective: you can't sell public data.

By private I mean when I upload a picture and set the privacy to "only Bob" It makes me think that Bob is the only person who has access to this picture.
The words you typed were "sell private data." It is an inflammatory phrasing, that evokes clandestine exchanges of cash for information that users are assured is private. Since you apparently know it's bogus, please do your part in keeping discussions reasonable and stop spreading it.
FB will get a share of ad revenue from a 3rd party application that Bob installs. That application will have access to my picture that I set to "only Bob".

You can blame Bob for being the middle man, or me for not reading the fine print in the privacy policy, but at the end of the day FB is making money from "selling my private data"

Realistically? I'd be surprised if they even lost 1% of users (4+ million).
I'm extremely privacy-sensitive and nothing they've done has come close to shaking me off as a customer. Key detail about my use of Facebook: I don't publish things on Facebook that I'm concerned about, and I don't use it for work social networking.
I hope enough people boycott sites that use the FB instant personalization thingy. But hope is not a strategy, alas.
All the more reason to modify your facebook settings to disallow their third party vendors from accessing your data.
Its pretty terrible that a big site like Yelp would be open to a Cross Site Scripting attack.
Most are.
It's scary actually. It's become so easy for anyone to build a site/app, but most people are clueless when it comes to security. Even the basics, like validating and sanitizing inputs and outputs. Couple this with the "I have to release before my competitors do" mentality and you end up with a gaping hole that you can just walk through. If your site is big enough, you should hire an expert.
Welcome to the last 30 years of the technology industry. We have t-shirts!
(comment deleted)
What is also important to note is that if someone's data gets compromised, our data is also at risk if we are friends with that person. My fiance uses Yelp and stays logged into to Facebook, and could indirectly compromise any of her friend's data (and even the information in her inbox).
Technically, the limitations of open graph require a specific user auth token to get any extra data. So if your fiancee gets compromised, they can get the name's and profile pictures of her friend's but that's all. Any extra information (like email) require the user to visit the site with the xss as well.
It would be lovely to see Yelp, Facebook, and Twitter all succumb in some kind of deadly embrace -- a grand implosion that would be. Like watching that implosion of Texas Stadium last month.

Oh well, on to other wishful thinking...

In the last weeks since the new Facebook api and policy change you can see the outcry and the security problems being reported frequently and so many places.

It is getting to a nightmare and I am not sure how well in general consumers in the social media can keep track of it. 


Here is my business idea. My assumption is that a website helping people to understand and simplify the security issue on the social media places plus a clean how to instruction on setting the security levels will generate some good traffic. Anybody wants to build it?


In the photos at the bottom, how come the blacked out one of the email addresses completely? Obviously not an @gmail, wonder what it is.