Facebook Bug Could Give Spammers Names, Photos 145
angry tapir writes with this excerpt from an IDG report: "Facebook is scrambling to fix a bug in its website that could be misused by spammers to harvest user names and photographs. It turns out that if someone enters the e-mail address of a Facebook user along with the wrong password, Facebook returns a special 'Please re-enter your password' page, which includes the Facebook photo and full name of the person associated with the address. A spammer with an e-mail list could write a script that enters the e-mail addresses into Facebook and then logs the real names. This could help make a phishing attack more realistic."
*Smack Face* (Score:5, Insightful)
Seriously? Who is freaking writing these web pages? It would have been easier to NOT include photo's and names than to build it in there!
Re:*Smack Face* (Score:4, Insightful)
I think the summary and story is looking at wrong aspect about it too. Spammers, whatever. You're just one in a million. This is a lot more serious about people that just know your email, but are in more personal contact with you than some spammers. Website owners, forum administrator, people you meet on the internet.. Those who know your email but don't really know your real identity. That's a lot more serious privacy violation.
Re: (Score:3, Insightful)
I don't see what the big fuss is... it's your name. If someone has your email address, they probably have some sense of who you are. If you don't trust them with your real name, then at the very least have some forethought and give them a throwaway email address.
Me, I'm Bill Lambert. My email address is billco@fnarg.com . Says so on my whois records. Big fucking whoop. That's what spamassassin is for.
Re: (Score:2)
Re: (Score:1)
Website owners, forum administrator, people you meet on the internet.. Those who know your email but don't really know your real identity.
Yet another reason to hide your email on forums' public profiles.
If FB fails to change anything, then more power to me for avoiding it. I can't believe this past two years: google improved forum indexing to the point that too much crap obscures legit searches ... spammers have also gotten real good at stealing, curating my personal data and cloning it in a way to contribute to the above "crapflood." Phone books cannot even dream of the power of the spammers for aggregating data to piece together exactly who
Answer: some 22yo kid on a powertrip (Score:2, Funny)
Re: (Score:2, Funny)
Seriously? Who is freaking writing these web pages?
Probably an ex-Slashcode developer.
Re: (Score:1, Informative)
It would have been easier to NOT include photo's and names than to build it in there!
Dude, please learn when to use an apostrophe [angryflower.com]. We have lots of non-native English speakers here, and they may assume that your use of language is educated, seeing as how this is a nerd site and all.
Moderators, please mod me down, I'm offtopic. Thx.
Re: (Score:1)
Maybe he's a non-native speaker himself ;)
Re: (Score:2, Informative)
It is a bad habit I have. I'll write a sentence, then I'll read it over, and decide to change the structure entirely, then re-read it a bit to make sure it makes sense, then put it up there without looking too much at grammar.
So if I had said something like "The photo's location" but then decided the location part is irrelevant and I could just work it around to just say "the photos" then I do so, but its all cut copy paste delete so the apostrophe reamins in place. Makes errors and I apologize.
I also tend
Re: (Score:2)
Posts *CAN* be edited.
It's called 'preview' and 'continue editing.'
While I may not be one to use it that often, I do use it now and then, and I am quite aware of it. Those unaware of it have a very narrow focus and might wish to be checked for tunnel vision.
Re: (Score:2)
No, it's a genitive - the location of the photo.
Re: (Score:2)
No, "the photo's location" is correct. It's a possessive (the other time you use an apostrophe).
George's dog is brown, George's cat is white, George's location is unknown. The photo's contrast is bad, the photo's focus is bad, the photo's location is in the trash. If it were more than one photo it would be "the photos' locations".
Re: (Score:2, Interesting)
I'm not defending their choices, but there is a legitimate reason why they would do this. Some users mistype their username, not their password. This results in a "failed login" screen. If there is no photo (or name) they may assume they have mistyped their password, and keep trying it over and over. Throwing up the picture associated with that account helps the user figure out that the reason they can't
Re: (Score:2)
I see your point, and it is an excellent one. However, I think I would have prefered it being some kind of bug that suggests the page you are being redirected to when failing to login goes to a default page which then loads certain contols (like other facebook pages), and that it naturally shows the info when you are logged in. As opposed to a logical error that someone thought this would be a good idea and didn't consider the consequences of privacy involved with it. Not that I'm surprised with the current
Re: (Score:3, Insightful)
Re: (Score:2)
Because a surprisingly large number of internet users are blind or have poor eyesight, and your system would exclude them from facebook ....Just like they are excluded from ING's website ...
Re: (Score:2)
I wonder how the AJAX-crazy Facebook would work for the poor-sighted anyway... I have a hunch: not very good.
And imagine the TTS-engine:
"Moron McDumbass needs an UZI for a Mafia Wars raid.
Moron McDumbass needs bullets for a Mafia Wars raid.
Moron McDumbass needs a getaway car for a Mafia Wars raid."
Re: (Score:3, Insightful)
I wouldn't call that a legitimate reason since that implies, well, legitimacy. Instead, it's simply a possible explanation for how they arrived at their poor choice.
A more secure solution to the problem you pose would be to clear the user name on the "failed login" screen in addition to the password, regardless of which is incorrect. And if anyone wants to argue that having to retype both would be inconvenient, I'll preemptively counter by saying security should not be sacrificed for the sake of convenience
Re: (Score:2)
Re: (Score:2)
Re:*Smack Face* (Score:5, Insightful)
I just tried it. Looks to me like Facebook has a problem with users who enter the wrong e-mail address and can't figure out why their logon isn't working. Hence, the "Not you? Click here." option beside the picture.
It's entirely possible that the idiocy behind the interface design is in an ongoing stupidity arms race with the consumers on the other end.
Re:*Smack Face* (Score:5, Interesting)
I have a "good" gmail address (my full name@gmail.com) and I constantly get e-mail from other people signing up for things who apparently don't know their own e-mail address. I've received passwords and various other sensitive data. Sprint was sending me receipts for someone's very large corporate purchases, I kept replying and forwarding them to sprint's customer care and they basically told me they can't do anything about it and to just delete them and not worry about it.
It's also amazing how many sites will not let you unsubscribe without providing some kind of personal info. Seriously? They let you sign up with the wrong address without confirming it, but I can't unsubscribe unless I know the last 4 digits of the guy's SSN?
Re: (Score:3, Interesting)
I have a "good" gmail address (my full name@gmail.com) and I constantly get e-mail from other people signing up for things who apparently don't know their own e-mail address.
Glad to know I am not the only one. My yahoo email address, which I have used since the mid 90s when they started offering email (back when 9 characters was the maximum name size....) gets the same thing, legitimate "thanks for signing up" from legit companies, where some idiot didn't know their own email address. Ironically, my email
Re: (Score:1)
I constantly get e-mail from other people signing up for things who apparently don't know their own e-mail address.
My e-mail address is also my full name with a "dot net" at the end, and I have chronic issues with customer service reps who don't know how to type anything other than "dot com".
That is pretty ridiculous about not being able to unsubscribe, though.
Re:*Smack Face* (Score:5, Interesting)
I had the same problem happen, with some extremely sensitive data coming in.
In addition to somewhat mundane things like airline confirmations, hotel confirmations, etc, there were several letters about legal problems. The person they were trying to reach is apparently the head of an investment group and under investigation by the SEC. I also once received an email containing a bank account number with routing number. Usually it was sent to his (proper) business address and CC'd to my address, which I assume they thought was a personal address for him. When correspondence from lawyers starting coming in I decided it was well past time to start emailing these people and telling them to oh my god please stop. That's a can of worms I just wanted no part of whatsoever.
I did do a quick Google search for the guy; same last name, different first name (same first initial, the combination of which is my email address). Really a problem that shouldn't have happened, especially not that many times from that many different sources.
Re: (Score:1)
Re:*Smack Face* (Score:4, Insightful)
This is why I do not use my name as part of my e-mail address.
This cuts down on that problem considerably.
Re: (Score:2)
Actually it depends on what your name is. If your name is John Smith, then yes using your name for a somewhat unique identifier is a bad idea. In my case I have a 4 letters last name and it is very 'rare' (probably less than 100 people with that last name).
Re: (Score:2)
That's only 10,000 combinations. Brute force script it. Don't bother testing for success, just blast 10,000 HTTP requests at them.
Re: (Score:2)
If only one would combine the LOIC with a brute-force script. DDoS + password stealing all in one.
Bet 4chan would shit themselves over that. While AES256 may take the universe suffering from total entropy before it got cracked, I bet with a good logistical separation and delegation of sections to attempt they could crack it.
Just simply brute-forcing it would take eternity. Use a little statistics and logistics, and some proper task delegation, I'd be willing to bet that a brute-force could be accomplished w
Re: (Score:2)
Last year I had someone at the the Sierra Club having their mail being forwarded to me. The guy's name was identical to mine.
I replied to it saying I must be getting their emails, but I guess it wasn't important.
I got confidential email after confidential email. Even emails that "Sally was not impressed with the way you guys left the kitchen today". So I had some fun replying to some of their emails.
It took them a few months before anyone finally fixed it - or the guy finally realized that his email wasn't
Re: (Score:2)
I get this too. My name is not that common, unfortunately the idiots making the mistake are the same ones again and again. I'm now at the point that I can guess which idiot, as I know enough about their interests from what websites they sign up to.
It's just as bad when they tell their friends or colleagues the wrong email address. It took me a year to convince a certain military outfit that I was not part of their unit and to stop sending me orders about next week's operations. God knows what was happe
Re: (Score:2)
Re: (Score:1)
Not only that, but I take it if someone like me were to use facebook without adding pictures, but just to stay in touch, i guess you would not get much other then my online name (which is never the real name) and an empty picture box.
Not a Bug (Score:5, Funny)
It's a feature. Say you get amnesia and all you remember is your email address. Now, thanks to Facebook, you have a means of finding out your name, and what you look like!
Re:Not a Bug (Score:5, Funny)
It's a very serious bug. Spammers aren't _supposed_ to be able to scrape that information without paying facebook for it.
Re:Not a Bug (Score:5, Funny)
It's a feature. Say you get amnesia and all you remember is your email address. Now, thanks to Facebook, you have a means of finding out your name, and what you look like!
Imagine how much simpler the plot for The Bourne Identity would have been.
Not The Only Problem (Score:5, Insightful)
Fixing this alone means nothing. If you search for someone on Facebook it will show you a name and a profile picture. Sure, it requires a facebook account, but that's not too hard to create for somebody with 4,000,000 email addresses.
Re: (Score:3, Interesting)
Re:Not The Only Problem (Score:4, Informative)
Re:Not The Only Problem (Score:5, Informative)
Re: (Score:1, Insightful)
How exactly?
Facebook's configuration is so convoluted. Everything is spread around on different pages and stuff, so annoying. It's very hard to find any particular privacy or profile setting.
Re: (Score:2)
Account->Privacy Settings->Basic Directory Info
I agree, it is annoying.. It took me 30 minutes to find (the first time). I think it's been cleaned up since then.
Re: (Score:1)
Re: (Score:3, Informative)
Only if 'Search for me on Facebook' is set to 'Everyone'
http://www.facebook.com/settings/?tab=privacy§ion=basic [facebook.com]
Re: (Score:2, Insightful)
I have no FB account (never will, either!) yet I can do a google cache search AND get 'goodies' on FB users that way.
so, that's yet another hole that needs to be patched.
Re:Not The Only Problem (Score:5, Insightful)
This means a lot if you have set your profile to be non-searchable and set your name and/or profile picture to be "visible to friends only".
POTS analogy: This is like going to the effort of getting an "unlisted number", where you aren't supposed to be listed in the phone book and your address is not supposed to be divulged to anyone, then finding out that anyone who happens upon your number and dials it gets a recording that includes your name and address.
Having said that, everything you enter in Facebook should be considered viewable by everyone on the planet. Facebook doesn't exactly have a long and reliable history of protecting the identity of the people who use it. They'd sell you for a nickel. They'd probably send someone to strangle your cat if they thought your angst-ridden posts would generate a few thousand more page views. It's not exactly like this should come as a surprise to anyone, especially those of us who actually use it.
So, as someone mentioned above - this is a very, very serious bug to Facebook. This information should NEVER be given out to anyone... who isn't paying for it.
It's not a bug, it's a feature (Score:2)
Fixing this alone means nothing. If you search for someone on Facebook it will show you a name and a profile picture. Sure, it requires a facebook account, but that's not too hard to create for somebody with 4,000,000 email addresses.
People from our lab have a paper coming up at RAID this year pretty much on the same issue, exploited at a large scale (trying millions of email addresses): http://iseclab.org/papers/raid2010.pdf [iseclab.org]. Read it if you want to get an idea of how much impact such an attack can have. As a spammer, if I know the full name and list of friends (public information on facebook) associated with an email address in my spam targets list, I can do some very sneaky, targeted spam pretending to come from one of your friends...
Wow (Score:2, Redundant)
Get ready for another irreducibly complex tier of privacy settings, i'm sure.
Re: (Score:2)
From TFA (Score:5, Funny)
>>Scraping Facebook for this type of information is prohibited, she added.
Oh, yes. That'll stop em'. Stern warnings always do.
Re: (Score:3, Funny)
Strongly worded public letters deter most bots.
Re:From TFA (Score:4, Insightful)
They should probably throw in a logical paradox to make their heads explode or short circuit. Like "It's forbidden to use this picture and name for evil purposes, because people want privacy, even though they put it all up there suggesting they don't want privacy... think about that."
There's only one problem...
"Santa-bot: Nice try. But my head was built with paradox-absorbing crumple-zones"
Re: (Score:2)
Need an adult (Score:4, Insightful)
Re: (Score:2, Informative)
Ageist much? Do you really think that a CEO like Zuckerberg wrote, demanded or even approved something as simple as a "spice up the login error page" project?
Anyway, the guy is 26. He can buy booze, fight for his country and successfully run a multi-million dollar company. Most of slashdot, even adult slashdot, cannot claim all three.
Finally, I really don't know what all the commotion is about, I just logged out of Facebook and tried logging back in with my email address and a bad password; I got the standa
Re: (Score:3, Funny)
</sarcasm>
Could? (Score:1, Insightful)
"Could" be misused? How about "has" and "is"?
Correction (Score:2)
> that could be misused by spammers to harvest user names and photographs. ...that has been widely used by spammers, collection agencies, the government, terrorists, aliens (from outer space and otherwise), foreign governments and the like to harvest user names, photographs and e-mails for years.
There. Fixed that for you.
Scrambling, my ass... (Score:4, Insightful)
Re: (Score:2, Funny)
The site should go down for maintenance until they fix the issue, and only then brought back online.
Good idea. I'm all for bringing it down. Think of how much more productive households, college campuses, and the workplace will be for networks not already blocking facebook access. The increase in productivity would cause a spike in the world economy and take us out of the recession :-)
Re: (Score:2)
The site should go down for maintenance until they fix the issue, and only then brought back online.
Good idea. I'm all for bringing it down. Think of how much more productive households, college campuses, and the workplace will be for networks not already blocking /. access. The increase in productivity would cause a spike in the world economy and take us out of the recession :-)
FTFY
This flaw is no longer available (Score:5, Informative)
This flaw is no longer available on Facebook logon pages.
In fact it was removed before this story made it to the /. front page.
It was removed approx. 11 hours after the first public articles about it.
- Jesper
Re: (Score:2, Offtopic)
+1...if I could.
Again Slashdot delivers slow, out-of-date news.
Re: (Score:3, Insightful)
In this case, I consider it a good thing.
Re: (Score:2)
Why? Given the shit concerning this site, one would think it would have been better for this knowledge to get out even faster so people would know to drop that site like a hot lava rock.
Re: (Score:2)
Re: (Score:3, Interesting)
Really? I just went to Facebook, put in my email address and a bad password in, and I see "Login as: [My full name] [my email] Not you? click here". My picture is a blank picture, but it always is because I have all pictures turned off publicly. So, if they've removed the flaw, they've either not deployed it to all their servers yet (possible), or they really did a bad job of removing it.
Re: (Score:2)
What happened when you tried someone else's e-mail address?
Re:This flaw is STILL available (Score:1, Informative)
I just tested it. Logged out, logged back in with the wrong password.
Guess what? It shows my name. I've turned off sharing my profile picture but the main article is talking about it scraping names for realistic spam. That is still available.
Where are you getting your information again?
Re: (Score:1, Informative)
I just tested it. Logged out, logged back in with the wrong password.
Guess what? It shows my name. I've turned off sharing my profile picture but the main article is talking about it scraping names for realistic spam. That is still available.
Where are you getting your information again?
Maybe it relies on a cookie or something, and it only shows that to you because you've been logged in before. I just tried a friend's email address and wrong password, and it didn't show me any information about him. He has never been logged into Facebook on this machine.
Return vs. Fresh Login (Score:5, Informative)
Maybe it relies on a cookie or something, and it only shows that to you because you've been logged in before.
That does seem to be the case. I just tested it on two browsers, one of which I don't use with Facebook.
On the browser that I don't use with Facebook, the "Please enter your password" screen did not include a name or picture.
On the browser that I do use with Facebook, and had just logged out seconds before, my name and photo did appear. However, if I entered someone else's address, the name and photo did not appear. Just for kicks, I tried two email addresses, one of which I know does have an account and one of which I know doesn't. Facebook *did* tell me which one was not associated with an account.
A spammer isn't going to have your cookies, so they won't get your name and photo. But they can confirm whether you have a Facebook account or not.
Re:Return vs. Fresh Login (Score:5, Funny)
Re: (Score:2)
Sorry Jesper, but you are wrong. I just tried it and the problem HAS NOT been fixed as of 4:47pm EST today.
Re: (Score:2)
Try clearing your cookies in between (or just use a different browser), or test it with someone else's email address. It only shows your name and photo if you were previously logged on with the same account.
I'm not sure how wise that is, but it's certainly an improvement over any random person being able to extract the information (assuming, of course, that your name and photo aren't already publicly associated with that email address via other channels).
Rolling out might take time? (Score:2)
Sorry Jesper, but you are wrong. I just tried it and the problem HAS NOT been fixed as of 4:47pm EST today.
Fair enough, you tested it and found the flaw alive and kicking.
Did you flush your browser cache before testing? And did you ensure that you are not getting the page from a proxy server someweher between you and the FB server?
If you are still getting the flaw (as I can see a number of other users are also reporting) my guess is that:
1.) They are getting cached results from somewhere
2.) Facebook has fixed the flaw, but propagating it to their 32.000 servers (literally dude) takes a little time.
Obvio
Re:This flaw is no longer available (Score:5, Funny)
Slashdot: recent history for nerds, stuff that once mattered.
Re: (Score:2)
Just tried right before this post with a browser I don't use Facebook on, with a couple email addresses for users from a forum that I admin. It most definitely showed real names for the people, although not pictures. Could be that none of them have pictures. It took 3 failed logins and then a captcha before it showed the name.
Re: (Score:2)
Optomist... (Score:1)
Scraping (Score:3, Insightful)
Jeez... you can write a perl script to do the scraping in about 15 minutes.
Besides the fix for the insecure functions on the page, I certainly hope they are doing IP blocking....
But what a bunch of PR jumbo... the problem is the result of a bug?? I'd disagree. I've seen the login error page. The function of showing the image and repeating the email address is by design . A horribly insecure design in the context of Facebook's privacy settings setup. But it was a design decision, not a bug.
At least that's how I see it.
Re:Scraping (Score:4, Interesting)
``But it was a design decision, not a bug.''
Also, not telling whether they got the username correct or wrong is security 101.
This is yet another case of Facebook having done the wrong thing for their users' privacy, and correcting things only to lessen the negative publicity. It's not an accident.
The word AND is not in short supply (Score:1, Interesting)
"Facebook Bug Could Give Spammers Names, Photos"
Names, Photos?
A comma was traditionally used in printing headlines in place of "and" because the litho did not usually have an ampersand character with which to save space.
There is no excuse for this misuse of the comma in the 21st century.
Re: (Score:2)
*does not affect deactivated accounts (Score:3, Funny)
Predicted long ago (Score:4, Interesting)
"We were warned?"
Re: (Score:2, Interesting)
"Long ago" being any length of time greater than about 3 years???
Re: (Score:2)
can also just search for email address. (Score:2)
Works for me (Score:2)
I don't have a facebook account, but I tried a few random emails (pretty much name@gmail.com), and came up with a full name and photo (although more commonly just the full name).
Internet security (Score:4, Insightful)
Q: Is your personal data safe?
A: [in form of a question] Is it in anyway a part of the internet, including being on your own computer in your own home, which is connected to the internet? If yes, then no.
Hell, even if I don't have a Facebook account and someone takes a pictures of me and uploads it to Facebook and tags it with my name then the internet knows what I look like. Privacy is a joke.
On the other hand, perhaps there's a market in creating false identities for people as a false data internet flood. As a business they would sign up for popular social networks with your name and upload a variety of pictures claiming to be you, with routine updates about things you're not actually doing. They could use their client list to 'friend' each other and build a nice false society. If someone on the internet ever posted true or factual information or pictures about you it would be considered less reliable due to the voluminous FUD being provided by the company hired to provide false information, and therefor discarded.
Not news (Score:1)
What is the bug again? (Score:2)
"We have technical systems in place to prevent people's names and photos from showing to unrelated users upon login, but a recently introduced bug temporarily prevented these from working as intended," a company spokeswoman said in an e-mail message. "We are already working on a fix and expect to remedy the situation shortly."
If by "upon login" they mean when a wrong password is entered, I don't understand what the bug is, since the "Is that you?" screen is the intended behavior, not a buggy one. By the way, it only happens if the email address matches the account which was last logged in on the browser, and it forgets it if you wipe the cookies (maybe the "bug" is already fixed?). But even if that page was shown for any email, that's not the only or even the easiest way to get the name and picture matching an email; th
Mark Zuckerburg Doesn't Really Care (Score:1, Offtopic)
Want to be found? (Score:1)
Re: (Score:2)
> Don't use real names on FB.
I think it may be a good idea the create an FB account in your real name, but it should be a dummy account, existing just to block "pranksters" from using it.
not a bug (Score:2)
Re: (Score:2)
Re: (Score:2, Informative)
Almost certainly some brain dead acquaintance of yours knows both your email addresses, had them in their email address book under your name and allowed Facebook to rifle through it when they signed up.