BBCs "CLICK"s investigation into FACEBOOK security.

#1
Just caught a snippet of the "CLICK" programme on BBC's News 24. They were saying that Facebook put its members security at risk by using third-party applications for its games and quizzes. It demonstrated that, if one of your Facebook "friends" used one of these applications, sufficient information might be obtained about YOU to put you at risk of identity theft. In contrast, My Space use applications that run on its own servers.

This is the results of CLICK's investigation:

http://www.bbc.co.uk/pressoffice/pressreleases/stories/2008/05_may/01/click.shtml

Facebook users are often unknowingly revealing their profile data and that of their friends by agreeing to download seemingly innocuous Facebook applications, according to a BBC investigation.

Click, the BBC's flagship technology programme, has found that although privacy settings related to personal information can be changed by users to hide information on their profile, by simply using an application their profile data can be accessed by the creator.

Protecting users' profile information once these applications have been added can only be done by changing the application's privacy settings, three pages of clicks inside the site, regardless of how users have set their profile privacy settings.

Click developed an application for Facebook which they used to discover details of users and their friends which they may have felt was inaccessible to people they did not know.

Taking less than three hours to write, Click's application was then added to four Facebook users' accounts. As a result, they could access details of those four people and all their friends on Facebook even though many had chosen to hide those details on their public profile.

This means that there is the potential for criminals to "skim" user data, via a rogue application.

Data can also be given away by a Facebook friend who innocently adds an application to his Facebook account.

At the moment it appears the only completely sure and safe way to stop such data being shared is to remove all applications and not use them.

Facebook has Terms and Conditions for creators of applications but criminals (or investigators) wanting to gain access to personal information do not necessarily consider these when they attempt to steal personal details.

It cannot be determined how many applications may be using this method to steal data, indeed, if there are any at all, but the ease with which the BBC team put together its rogue application has raised concern.

Interviewed for this week's Click programme, Paul Docherty, Technical Director of Portcullis Computer Security, said he believed that Facebook's Terms and Conditions stated on the site meant that Facebook had legally covered itself from any liability.

But he added: "Morally, Facebook has acted naively."

He said: "Facebook needs to change its default settings and tighten up security."

But he also believes it would be difficult to secure the current system because so many third party applications are now in circulation.

This comes in the month that competitor MySpace opened up its platform for applications to users.

But it is currently using a different method – allowing the company to keep a close eye on what the applications do and vet their authors.

The Click team was unable to create a similar threat to users' security using the MySpace system.

MySpace told the BBC: "All applications run on MySpace servers and the code is checked to verify security."

Facebook told the BBC: "All third-party developers building on Facebook Platform are subject to technical and policy restrictions that strictly limit their collection, use and storage of profile information.

"When a user adds an application, they agree to the Facebook Platform Application Terms of Use, which allows the developer to make requests for access to the information in the user's profile, excluding contact information.

"Users are strongly encouraged to report any suspected misuse of information to Facebook.

"Additionally, users can block individual applications from accessing any of their data, block all applications, or block individual types of information.

"We have sophisticated technology and a dedicated team to address inappropriate activity by applications.

"Access by applications to Facebook user data is strictly regulated and if we find that an application is in violation of our terms and policies, we take appropriate action to bring it into compliance or remove it entirely.

"Facebook is committed to user safety and security and, to that end, its Terms of Service for developers explicitly state that applications may not use adware, spyware, or other deceptive techniques.

"Users should employ the same precautions while downloading software from Facebook applications that they use when downloading software on their desktop."

Notes to Editors

This was a controlled experiment to prove what was possible with the full agreement of those involved. No information from the experiment has been retained.

Click is shown on BBC One, the BBC News Channel, BBC World News and is available online – see programme times.
There is another BBC article about this investigation (with a video) here:
http://news.bbc.co.uk/1/hi/programmes/click_online/7375772.stm

There have been concerns about Facebook on Arrse before:
http://www.arrse.co.uk/cpgn2/Forums/viewtopic/p=1875334/.html#1875334
 
#3
Your not the only one, the alarm bells ring when you have to agree that the apps can access your personal details.
 
#4
But have your "friends" downloaded the applications?
Taking less than three hours to write, Click's application was then added to four Facebook users' accounts. As a result, they could access details of those four people and all their friends on Facebook even though many had chosen to hide those details on their public profile.
(And I'm not being some sort of "clever-clogs" here. :roll: I thought I'd give Facebook a try, but don't think it's my "cup of tea". Hence, I have a false name and only have my daughter as a friend. I tried to get rid of the one application I accepted from my daughter, without success. I did once try to change my name to my real one ....... also without success.)
 
#5
bovvy said:
(And I'm not being some sort of "clever-clogs" here. :roll: I thought I'd give Facebook a try, but don't think it's my "cup of tea". Hence, I have a false name and only have my daughter as a friend. I tried to get rid of the one application I accepted from my daughter, without success. I did once try to change my name to my real one ....... also without success.)
Oh ........ Facebook does change ones name ....... eventually. 8O It was a month (or more) ago that I asked for my false name to be replaced with my real one. So, when nothing had been changed after 2 weeks, I assumed they wouldn't do it. I was glad about this, as I had decided it was a rubbish decision. But they have NOW changed my name .......... after a MONTH!

And I have found (by chance) the setting to remove the application. There is such an array of settings on Facebook. :x
 
#6
Some people have about 200 applications on their page. It takes about 6 weeks just to load the bastard profile up.

I only use about 8.
 
#7
Continuing on my "mission", I just found this:

BBC News article "Facehooked" from December 2007

....... here is an excerpt:

Security concerns

Increasingly there are concerns about the advisability of putting so many personal details online without taking adequate precautions to screen who the information is available to. Some users add dates of birth, home addresses, pet names and other information that could be used by internet fraudsters to open bank accounts and order credit cards.

There are privacy settings on the site, which users can change to maximise their privacy, but most users do not use them.

Other information people publish, such as lists of their favourite products, music, films and holiday destinations, are increasingly being used by businesses.

For example, brand advisory and marketing company 1000heads monitors conversations on behalf of big brand clients on Facebook and other websites. It relays important insights on how consumers feel back to its clients.

Separately, Cadbury this year relaunched the iconic chocolate bar Wispa after a campaign by fans on Facebook.

Thousands signed their name to it and Cadbury said it was too tempting not to give it a try.
 
#9
You would have to be stupid to put private info on Facebook. I'm on there but the only info is my name and photo.

I have friends who have put there home number and address, its daft...
 
#10
Bl00dy Facebook!!!!! ........ :x

(Actually, I do use it a bit more now. :oops:
But, to be honest, there is nothng on my profile that would cause me problems in the wrong hands.)

....... Over the past few days, my friends have commented on their friends' photos.
The photo on which they have commented has appeared in my newsfeed.
Being a nosey b1tch, I have clicked on the photo.
And, bugger me!!!! ....... I have access to the whole sodding photo album of a complete stranger. :omfg:

I expect there are settings to prevent this occurring when someone comments on ones photo, but doubt many use them.

(Edited to add the link to bookmark my other Facebook moans.):

http://www.arrse.co.uk/cpgn2/Forums/viewtopic/p=2041944/.html#2041944
 
#11
blackwidow said:
You would have to be stupid to put private info on Facebook. I'm on there but the only info is my name and photo.

I have friends who have put there home number and address, its daft...
Damn I'm going to take off my home address, bank card details, better take off that I'm going on holiday in Nov as well. Best remove all the compromising photos on there, I'm sure there is more......

As with everything computer related the only security threat is yourself.
 
#12
This:

http://news.bbc.co.uk/1/hi/programmes/click_online/7375772.stm

is a differently worded and more pleasantly presented article about the investigation upon which I launched this thread.
It seems that there are some interesting links to the right of the article.

Edit: Oooooooo!!! And an article rom "The Register" about Paris Hilton's security .......

http://www.theregister.co.uk/2008/03/25/facebook_exposes_private_pics/

...... but applicable to us all (with some interesting-looking links beneath the main body of script).

More websites on the subject of Facebook security:

http://blogsecurity.net/social-networking/facebook-top-8-security-tips/
http://thewaronbullshit.com/2007/11/29/facebook/
http://bcs.org/server.php?show=ConWebDoc.20188
http://news.zdnet.co.uk/security/0,1000000189,39389297,00.htm
http://www.telegraph.co.uk/news/uknews/1556322/Fears-over-Facebook-identity-fraud.html
http://www.pcadvisor.co.uk/news/index.cfm?newsid=13195
 
#13
With regard to the photos.

My security settings are high out of personal preference rather than anything I'm hiding, however I concede that they will no doubt be viewable by those with the know how and persuasion to do so.

Even when set on the 'only me' view privacy setting, if you cut and paste the link at the bottom of the page 'Show people this album by sending them this public link:' they can be seen, well as its says on the tin really, without logging on at all. This has to be a backdoor that can be exploited?

That said I don't see it as a problem, yet.
 
#14
bovvy said:
bovvy said:
(And I'm not being some sort of "clever-clogs" here. :roll: I thought I'd give Facebook a try, but don't think it's my "cup of tea". Hence, I have a false name and only have my daughter as a friend. I tried to get rid of the one application I accepted from my daughter, without success. I did once try to change my name to my real one ....... also without success.)
Oh ........ Facebook does change ones name ....... eventually. 8O It was a month (or more) ago that I asked for my false name to be replaced with my real one. So, when nothing had been changed after 2 weeks, I assumed they wouldn't do it. I was glad about this, as I had decided it was a rubbish decision. But they have NOW changed my name .......... after a MONTH!

And I have found (by chance) the setting to remove the application. There is such an array of settings on Facebook. :x
erm, you can change it yourself which takes about 2 minutes by clicking "settings" on the top right of the page. who did you ask to change your name? 8O

i really don't see the problem here. my name isn't exactly a secret, and if people feel voyeuristic to look at my photoalbums then go ahead.
 
#15
Proper_Gander said:
bovvy said:
bovvy said:
(And I'm not being some sort of "clever-clogs" here. :roll: I thought I'd give Facebook a try, but don't think it's my "cup of tea". Hence, I have a false name and only have my daughter as a friend. I tried to get rid of the one application I accepted from my daughter, without success. I did once try to change my name to my real one ....... also without success.)
Oh ........ Facebook does change ones name ....... eventually. 8O It was a month (or more) ago that I asked for my false name to be replaced with my real one. So, when nothing had been changed after 2 weeks, I assumed they wouldn't do it. I was glad about this, as I had decided it was a rubbish decision. But they have NOW changed my name .......... after a MONTH!

And I have found (by chance) the setting to remove the application. There is such an array of settings on Facebook. :x
erm, you can change it yourself which takes about 2 minutes by clicking "settings" on the top right of the page. who did you ask to change your name? 8O

i really don't see the problem here. my name isn't exactly a secret, and if people feel voyeuristic to look at my photoalbums then go ahead.
It was that "change name" thing in "settings" that I used. :D
I recall it said something about having to confirm the name change, but don't recall it saying it took about 24 hours (in April).
And it took them a MONTH (during which time I had had second thoughts :roll: ).

I must have been in a serious frame of mind, at the time.
I would imagine that now I would just abandon that account and open a new account in my real name.

Facebook is the first (and only) website on which I have used my real name.
I have only ever used sites like this, where, if asked, I can easily deny all knowledge, saying "Nah, that's not me!"
I have nothing to hide, but it just makes me feel uncomfortable having my real name on the internet ......

........ Yet I don't shred my mail.
 
#16
it's the first site i've ever used my real name too but it's a great way to find old friends, keep in touch with them, and see what they're up to, no matter which continent they're on.

that's all it is really, keeping in touch with people i met around the world. not planning on running bankstatements over it.

as for the shit that goes with it...

http://www.youtube.com/watch?v=zpBaZRYEpdU
 
#17
Good to see/hear that video again.
Sums up my thoughts exactly.

For finding out what old friends are up to, I was amazed to find (just a couple of days ago) that Friends Reunited had got its act together.
 

Similar threads

Latest Threads

Top