Showing posts with label facebook. Show all posts
Showing posts with label facebook. Show all posts

Facebook, the early years: handing out a master password like candy

http://nakedsecurity.sophos.com/2013/07/19/facebook-the-early-years-handing-out-a-master-password-like-candy/
Facebook founder had a master password
You are not paranoid about surveillance - at least, not as far as Facebook is concerned. It appears that Facebook founder Mark Zuckerberg and his minions, in the early days, had a master password with which they could sign in to any user account and poke at whatever data we entrusted to the site.
The Guardian gleaned this from Zuckerberg's former speechwriter, Katherine Losse. Losse told the media outlet that users should be guarded with their private data on the site - a timely warning, given the launch of Facebook's social search tool graph search. Losse - aka Facebook employee No. 51 - joined the company in 2005 as a customer support staffer and worked her way up to being Zuckerberg's ghostwriter. She left in 2010 and, according to the Guardian, is now regarded as a rogue former employee by Facebook itself.

Tags: , , , ,

Obtaining the primary Email address of any Facebook user

Given only their ID, it was possible to obtain the primary email address of any Facebook user regardless of their privacy settings.

Anyone who has subscribed to a public mailing list knows the problem of members inviting their entire contacts list, including the mailing list, to every new social site and app. This has turned mailing list archives into a Wayback Machine for email notifications. Searching through some old mailing lists I came across a Facebook invitation reminder circa 2010:

http://stephensclafani.com/2013/07/09/obtaining-the-primary-email-address-of-any-facebook-user/
Facebook

Tags: , ,

Never, EVER, Trust Facebook

Facebook users story

I stopped using Facebook a long time ago, but I didn’t want to remove my account and have no visibility on how or what Facebook might be showing about me or someone using my name. So I decided to simply remove all my Facebook content.

Just over a year and a half ago, on January 30, 2012, I deleted every single Wall post I had ever made. By hand. One. By. One.

Last October, I logged in for a look-see and was stunned to find out that all of my deleted posts had been restored by Facebook and were present on my Timeline for all my friends to see. I fumed. I cursed them loudly on Twitter.
Deleting Facebook posts

Never trust facebook | The well-prepared mind
Tags: ,

Facebook pays $20K for easily exploitable flaw that could have led to account hijackings

Facebook has paid out $20,000 for a serious bug that could have allowed an attacker to hijack anyone's account with ease, with no user interaction on the part of the victim.

http://nakedsecurity.sophos.com/2013/06/28/facebook-pays-20k-for-easily-exploitable-flaw-that-could-have-led-to-account-hijackings/
Facebook fixes serious bug
Jack Whitten, the UK-based application-security engineer (by day) and security researcher (by night) who discovered the flaw, said in a post mortem on Wednesday that he reported the hole to Facebook on 23 May and that it was fixed by 28 May.

The exploit was enabled by manipulating the way that Facebook handles updates to mobile phones via SMS.

Facebook bug fixed | Naked Security

Tags: , , ,

Hijacking a Facebook Account with SMS

Facebook account hijacking
Facebook account hijacking

This post will demonstrate a simple bug which will lead to a full takeover of any Facebook account, with no user interaction. Enjoy.

Facebook gives you the option of linking your mobile number with your account. This allows you to receive updates via SMS, and also means you can login using the number rather than your email address.

The flaw lies in the /ajax/settings/mobile/confirm_phone.php end-point. This takes various parameters, but the two main are code, which is the verification code received via your mobile, and profile_id, which is the account to link the number to.

Continue to the article: Hijacking a Facebook Account with SMS | fin1te
Tags: , , , , ,

Facebook security bug exposed 6 million users personal information

Facebook Security bug
Facebook Security
Facebook recently received a report to their White Hat program regarding a bug that may have allowed some of a person’s contact information (email or phone number) to be accessed by people who either had some contact information about that person or some connection to them.

Security team has concluded that approximately 6 million Facebook users had email addresses or telephone numbers shared. There were other email addresses or telephone numbers included in the downloads, but they were not connected to any Facebook users or even names of individuals. For almost all of the email addresses or telephone numbers impacted, each individual email address or telephone number was only included in a download once or twice. This means, in almost all cases, an email address or telephone number was only exposed to one person. Additionally, no other types of personal or financial information were included and only people on Facebook – not developers or advertisers – have access to the DYI tool.

Important Message from Facebook's White Hat Program | Facebook Security
Tags: , , , ,

Securely Developing on Mobile

Facebook Security
For everyone who couldn’t make the forum yesterday, we have documented some of the best practices for developing on Android and iOS, and we're excited to share them with other developers.

Tags: , , ,
Subscribe to: Posts (Atom)