FBHive, a new site covering news and opinions about Facebook started by ‘two twenty-something guys’ who are self-proclaimed ‘avid fans’ of the social networking service, is launching today with a bang. According to the website owners, a security loophole allows anyone to view private profile information even if that information has been shielded off by privacy settings.
Think FBHive is touting this hack simply to draw attention to the new site? Think again.
As a challenge, I asked them to tell me some things about me that they could only find on my Facebook account, which is protected from public viewing and should only be accessible to my networks and friends. Almost immediately, they replied with my birth date, the name of my hometown, the name of my fiancé and my political views. That’s scary (and more proof is available if you click the link below).
In their first blog post, FBHive mentions that a similar hack – using the search function to uncover private information – was reported by The Register back in 2007, but that their process is ‘much more simplified and specific’. Moreover, they also claim the bug has already been reported to Facebook several times since June 7th, but that so far response has been virtually non-existing.
The FBHive team is giving the Facebook team – which we’ve also alerted about the claim – about 24 hours to finally respond to their reach-out, and will post details on how exactly one can obtain basic private profile information from protected accounts should the company fail to respond adequately.
Update: statement from Facebook:
We have identified this bug and closed the loophole. We don’t have any evidence to suggest that it was ever exploited for malicious purposes.
This is yet another blow to Facebook: yesterday Michael published an article about a weeks-long issue with click fraud on the social networking service, which the company acknowledged almost immediately with a promise for a quick fix.
(Image found on the blog of Pino Bruno)
Privacy online is an Illusion. Don’t tell me you do not know this Mr Wauters. The answer is as simple as 1+1=2
That’s why I only put in fake information. Once you put down your DOB, etc. its in the stream and will never be taken back. Someone on my friend list was deported from a foreign country for political protests and is likely on their watch list, I’m not sure if this will effect me if I ever need a govt background check. I don’t want anyone to know I know this person. That’s also why I don’t use 3rd party apps. Who are these makers of these games and what will they do with my info?
And don’t tell us governments aren’t pulling data from FB and other data hoovering sites and companies (Google etc.).
(Google alone can track your habits/preferences on approx. 85% of the world’s top 400′000 sites.)
They posted how they did it. Using “tamper data” addon they changed html post parameter in uid. This was used in very less used “edit profile” option of fb, while this does not work in normal “view profile”.
http://www.fbhi...nes-basic-info/
No, it is NOT an illusion …it is a farce.
if you don’t want private info on the net, don’t put it on the net……
WOW i’m a genious.
Exactly. I’m not active on FB primarily because its too intrusive and voyeuristic.
In six months, the time will be ripe for a new social network to pick up from FB. Facebook is losing its sense of “cool”
Intrusive and voyeuristic? You only put on FB what you want. In contrast, Google searches every nook and cranny of the web for information on everything, including you.
Such privacy things should be controlled in server side. That will need more servers.
In real, human people dont mind privacy breach. But they always deny that they showed private things on purpose.
Lol. I agree to billy. If the information is “Private” why would you like to share it then on net?
http://www.smartbloggerz.com
You can share private information on the net – just use public key enryption to make sure only the right recipients / readers will be able to access it.
We provide tools for email here if you’d like:
http://www.cgee...-for-email.html
For someone who apparently runs a “SmartBloggerz” website, you are quite clueless.
Sometimes you do not have any choice. The toolbars and other sites gather information to provide you with a better service.
I also wonder if people really care about privacy. AAfter search [ http://aafter.com ] is more attractive for better search results / utilities than its privacy features.
I don’t think you’re a *genius*.
Now, if you could only spell genius, you might go places.
Some ‘genius’ billyw lol
never said I was good at spelling
Nothing is perfect but thing is that their should be measures to overcome the issues.
The fast you recover, better the product you can offer.
Regarding this post:
Facebook should install some serious testers who can test on the ways to hack FB security systems.
They can find basic profile information only. Whiule this needs to be addressed ASAP, the world isn’t exactly falling.
I vehemently disagree, although it depends on who you are. This is what they can uncover: “networks, sex, birthday, hometown, siblings, parents, relationship status, interested in, looking for, political views and religious views.”
That’s basic information for some people in some situations, but very sensitive information for others.
so don’t put that info online!!! why is that so hard to understand?
@billyw Online != Shareable
Your gmail is also only, why don’t you give us your password, so we all can have your emails?
So because people could possibly break into the post office, steal and read my letters, I should never send any containing private information either?
you both are reaching now.
fb is a social networking site. emails or letters have one destination, while a social media is meant for a larger audience.
if you have a problem with people seeing your “networks, sex, birthday, hometown, siblings, parents, relationship status, interested in, looking for, political views and religious views”, then don’t fill in those fields and make them viewable.
@economist: What’s changed since 15 June when you thought privacy was important to tweet:
“Tip: If you join a new network on Facebook, double check your privacy settings to ensure it hasn’t made your profile visible to that network”
I’m glad this issue has been brought up, again. It’s not the first time I came across a complaint regarding Facebook security issue. Hopefully they will look into this matter seriously this time, and make amend on the loophole asap.
To have an occasional glitch for such a huge network site, is understandable, but drastic measures are to be taken to prevent it.
@wchingya
social media/blogging
also to add, i’ve noticed that i can see the INFO tab on a lot of people who are not my friends via the fb iphone app.
not sure if there is setting that you have to change, but i wonder if these guys are calling that the “hack”
Facebook make people believe their information is completely hidden when set to private. Those that argue “don’t put it on the web”, it’s along the same lines of “don’t say anything in your private emails you wouldn’t want people other than the receipient to read”. If facebook say it is private it should be completely 100% private.
I understand they can’t prepare for every hack, but they’re a huge company and have been told about it and yet nothing has been done, not even to warn users while they fix it.
Thank you for posting about this. It makes me glad I left facebook when I did.
I would love to use the expression “I hate to say I told you so…” because, well I haven’t said anything to you [all] in response to previous alerts like this, but while I can’t use it here, have used it in an argument with friends who are trying to get me to sign up. I was very unlikely to then (read: tell my friends I’m still thinking about it) now it’ll be a cold day in hell before I do.
Therefore I am not a member of Facebook, and will never join *disclosure* I am a member of a number of other SN sites.
I don’t recall any of these kinds of reports coming out referring to any others but FACEBOOK is gonna lose a heck of a lot of users, with the ongoing debate about holocaust deniers and these continual security exposes, both of which should’ve been put to bed long ago.
Facebook also goes into your private email address’ contact list even if you never give it permission to do so. It cleverly doesn’t go and add those people as you’re friends or send them invites, but it checks who’s there, and then suggests those people for you as “people you may know” when you login. I know this for a fact because it’s connecting me with people that I’ve known 15 years ago and there’s no chance on earth they’d be friends’ friends’ friends’ on facebook, or whatever.
Spammers!
just seen your post after posting mine about the same issue which I just knew of. this really pissed me off, considering closing the account.
yeah, saw your posts too. Actually happy that someone else has seen it and I’m not imagining. I couldn’t believe it when I saw that because I’m very careful NOT to give my email password to these kinds of bots.
I’m signed up with a hotmail account and the funny thing is that recently there was some issue with facebook messing up hotmail. Some kind of cookie issue, not sure what, I remember looking it up on msn forums to find out what it was. I’m guessing now that was something to do with this unauthorised siphoning of contact details, or maybe microsoft has sold data to facebook, no idea. All I know is that private information has ended up on facebook without my concent.
How could FB get into your private email contact list unless you gave them your login/pass when you signed up?
That’s a great question – I have no idea. And I’m very mindful of not giving that password out, for any of my email accounts. It’s like a personal policy.
The best I can come up with is some kind of Facebook spyware/sniffer that’s looked at my contacts when I log in (hence the facebook/msn problems recently) or that Msn and Facebook have done some kind of silent deal. I just dont understand how they’d get the info otherwise.
The link between the facebook “people you may know” feature and my hotmail contacts is obvious. I have people in my hotmail that I’ve been in touch with over a decade ago and have no connection to anymore, almost strangers that I don’t share mutual friends with (the suggestions work on the basis of mutual friends). It’s almost funny because it includes people that are on the other side of the world, about as separated from me as possible. But there’s one link – they were once a hotmail contact that I haven’t cleaned out, and they have facebook accounts themselves.
I find it very dubious. Would be interested in hearing other similar accounts.
This is ignorant and patently ridiculous. Just because you don’t understand the science and mathematics behind the algorithms recommending friends doesn’t mean you should accuse Facebook of black magic or gross privacy violation.
Well I happen to run a social network myself and am designing another as we speak, and I understand a thing or two about how these things work.
I’d be happy for you to offer an alternative explanation, and I have no idea why you’d call something like this ignorant?! It’s a real observation and two other people at least have confirmed it here.
Alternate explanation? Here’s one: they input their own contacts list into Facebook, and you were on it.
Some kind of technical information on how they manage to do this would be nice. There is no “facebook snifffer” that I have found to recover such info (and I have been over the code like a fine tooth comb
) so such an attack is impossible.
As it stands your making a HUGE accusation – you kinda have to back it up with big proof now. Because that is illegally accessing something you dont allow them too. Which is big trouble for FB.
And if you cant prove it and it is based on your suspicions then be careful about making these claims. They can come back to haunt you if the myth takes off
Facebook is not breaking into your email account. What is probably happening is that one of your friends allowed Facebook to pull contacts from their email account, and you were one of the contacts pulled. Since you already have an account, Facebook can then suggest people to you using the data they pulled from said friend’s email. Thus the same effect is achieved, without data provided by you or by illegitimate access to your email.
Facebook does seem to have a few too many glitches and recently their security issues don’t seem to be getting solved very quick or been paying attention to.
With the recent events in Tehran, issues of internet privacy have gone from being annoying and embarrassing to potentially fatal. The ability of the Iranian government to hack someone’s Facebook profile can lead to torture and death. Just as this “Twitter Revolution” has shown the power of the internet it also has called on the internet to mature. It is no longer a teenager playing in a world of limited consequence, but is capable of having very real impact on the world, good and bad. Line of code and privacy preferences can now save or cost lives. Its time to get extremely serious about security.
Anony ++++1
Use Yauba.
Just gave it a try. Relevant search and full privacy. Looks promising.
Much better than Google and Yahoo who kowtow to the Chinese government and kneel before the mightly dollar or renminbi.
I hope Yauba kicks the asses of all these greedy companies that don’t give a $%^& about their users’ privacy.
Well Said!
If fb states “privacy” under that option it should be 100% private or relabeled “semi-private” accompanied with big block/all caps disclaimer of its privacy limitations. People are too trusting of big brother and too quickly forget that the world is controlled behind the scenes by large corporation who do not a have a vested interest in protecting your privacy and civil rights. Profit is their only motive (at any cost). I believe fb has a social and moral (wishfully legal) responsibly to its users to protect their privacy. I wouldn’t have a problem seeing a class action lawsuit against them if they did not take appropriate measures… especially when peoples civil liberties are at risk… (like Anony stated above). Additionally, I think fb should allow users to use alias names and be able to request different levels of privacy agreements. I mean, doesn’t that throw up a big red flag to anyone when fb requires you to include your fully name???
good info…
yeah, to many security breeches.
since when is facebook grabbing at registration the contact list of a user’s email address, which I just had to be exposed to? as far as I knew and saw until now, such a thing used to be done after user’s approval upon the site’s asking of user’s permission.
Which even in that case for many users is regarded as undesirable in their concerns not to share their privacy.
How can this site do such bold acts at his own will?
Facebook may think that it can sport this at-his-own-will privacy violation as they please. it will not take long until a wave of counter-campaign on this ending up mass abandonment of its users of the “platform”!
Facebook will work this out. They probably have solution already.
Facebook needs to get off their duff and take this notice in a more swift way. Their Marketing department moves slower than a sloth so if they apply their “whatever” attitude and so-called private information “protected” by Facebook starts being exposed, they’ll have another Twitter firestorm to contend with.
robin you are killing it today 5 articles in a row wtg
This is only the tip of the iceberg. I have been working on FB exploits for several months and have found lots of flaws – from tiny to critical
(so far the only published one is here http://www.erra...etworks-access/ I link to it because a) Facebook dont care and b) I have a suspicion that this is part of the basis for the FBHive attack. Although my variant works on less people it exposes a LOT more information inc. photo’s).
Facebook care very little (I have yet to get a reply to an email from them beyond a single “thanks looking into it” one).
Doh.
you are forced to at least enter your DOB when registering. Even if you use a fake DOB to hide your info you have to remember it to retrieve your pwd.
I noticed too lately some ppl I emailed were showing up in my ’suggested friends’ list – ppl that are not friends with anyone else on FB whom i’m friends with…
so? nobody says that the algorithm used for suggestions will have to be based on FOAF (friend of a friend) type queries. Maybe you joined another social network with an open API, and FB just reads that…
So to clarify, techcrunch is reporting on a blog launch because the people running it have modifed a year old hack for facebook.
And on top of making the hack more public knowledge, these genisuses are going to make the hack public if Facebook don’t respond to their ultimatum.
Ok, techcrunch, I am launching a site tommorrow, I will kill my mum unless you cover it. Interested?
“Ok, techcrunch, I am launching a site tommorrow, I will kill my mum unless you cover it. ”
Satirical or not… you’re a looney
These FB guys are not serious!!!!!
Never leave any personnal info on Facebook!!!
that’ll be an interesting social network!
anon1 -> anon2 : hey, I did something interesting today. If you like to know what it is, we’ll set up a VPN secured tunnel and I can send you an encrypted file…
I think there maybe bugs in facebook’s privacy settings, and I think I may have stumbled upon this the ‘hard way’. This notion of a ‘limited profile’ on Facebook just doesn’t seem to exist. I’ve blogged about it here:
http://tr.im/pcbu
ai
great post, thanks. very interesting.
another bad day for FACEBOOK !
Read up on Facebook development.
Everybody should know at this point that if they really want to keep things private, you shouldnt post it over the internet…
The problem I have is its lack of transparency in how it uses my information. Based on ads I’ve seen delivered to me on Facebook, they appear to be targeted ads, but sometimes are not appropriate to me at all. So why am I getting weird ads?
I fear they are creating a profile for me that is inaccurate. I’m more worried about Facebook creating misinformation than I am about the company using correct information.
There is one more issue as I see it.. Why I am able to see the picture of people who aren’t in my friend list??
The greatest benefit of Facebook is that it has many groups on the site that you can join. So if you are interested in Chicago Cubs you can research Chicago Cubs in the groups section and you will be able to find friends on there that like the Cubs. This is just one example, I know that you can join groups of your favorite football team, television show, or whatever you want for the most part! If you can’t find a group for your interest, you can simply create one!
James
Bulk Email Marketing
Get this : my employer is mandating that employees in NA join FB !!! Whay a croc of crap, right?
Menghacker Facebook & Sigma Poker….
Mudah Didownload , Easy download…
http://www.4sha...Hacker_v24.html
Selamat mencoba , Good Luck , Telah terbukti Berhasilsempurna….