DISCLAIMER: Logging other people's keystrokes or breaking
into other people's computer without their permission can
be considered illegal by the courts of many countries.
The monitoring software reviewed here is ONLY for authorized
system administrators and/or owners of computers.
We assume no liability and are not responsible for any misuse
or damage caused by the keylogging software. The end user of
this software is obliged to obey all applicable local, state,
federal and other laws in his country of residence.
June 27, 2008
Facebook suspends Top Friend peephole app
Vancouver-based computer technician Byron Ng, who likes to prod social networks for holes and other errors, stumbled across a way to learn more about Facebook users than you're supposed to be able to--prompting Facebook to suspend the Top Friends application late on Wednesday.
Until Facebook suspended the Top Friends app, created by Slide, anyone could browse partial profiles of anyone else on Facebook who had added Top Friends to their page. ZDNet.com.au's US sister site CNET News.com confirmed that the security hole exposed the birthdays, gender, and relationship status of strangers, including Facebook executives, the wife of Google co-founder Larry Page, and one profile that seemed to belong to Paris Hilton that used her middle name "Whitney."
Basically, the app was not obeying the privacy settings specified by the user, enabling anyone with the know-how to bypass the security once they obtained someone's Facebook ID number.
"We expect third-party apps to follow the rules the users set," Ben Ling, director of platform product management at Facebook, said in a phone interview Wednesday. "With Top Friends, the privacy settings of the user were not being respected according to the privacy policy terms of use."
Less than six hours after CNET News.com contacted Facebook on Wednesday about the matter, the company decided to suspend the Top Friends app, meaning no one can use it, Ling said. The company is also conducting an ongoing investigation into the matter, he said.
Meanwhile, another third-party app that Ng disclosed a security hole in, Super Wall, was fixed. With Super Wall, which was created by RockYou, no personal data is revealed, but anyone could have viewed the Super Wall of any other user, even if they were not friends.
"Super Wall is respecting the privacy rules of the site," Ling said, adding that data created in the apps is not governed by the same privacy policies as user profile data.
Before the app was suspended, CNET News.com was able to use Top Friends to pull up profiles of Bobby Jindal, the Republican governor of Louisiana who's been talked about as John McCain's running mate; Facebook Chief Operating Officer Sheryl Sandberg; Jonathan Heiliger, Facebook's vice president of technical operations; and what is believed to be a page for Hilton.
Similar steps were taken to view the Super Wall pages for Sandberg, Facebook founder Mark Zuckerberg; Google executive Marissa Mayer; and Lucy Southworth, wife of Google founder Larry Page.
By accessing these pages it is easy to get the Facebook ID numbers for their friends and see their pages, as well.
Nothing on the Super Walls was all that juicy (who hasn't been annoyed by the "Click forward to see what happens" spam?), but the information revealed through Top Friends is sensitive and could have been used to commit identity theft if it landed in the wrong hands.
"Any Facebook user who adds an application to their profile is agreeing to give any of their personal information to the developer of that profile," Ng wrote in an e-mail after walking News.com through a demonstration of how to exploit the security holes. "Facebook has pretty low barriers of entry with regards to becoming a developer. You just need a Facebook account and to fill out some online forms."
It would be fairly easy for someone to create a new Facebook app that could be used to steal people's information, he said.
"Of course, it's against the Facebook terms of service for an application to store someone's personal information, but there's NO WAY for Facebook to verify compliance since Facebook applications run on PRIVATE THIRD-PARTY SERVERS, not on their own servers," Ng wrote.
Ng uncovered a way to snoop on strangers' SuperPoke pages a few weeks ago and Facebook promptly plugged it. He also exposed a hole in MySpace earlier this month that allowed people to see private photos of Hilton and her celebrity pal Lindsay Lohan, and currently there is an open hole in MySpace that allows anyone to create a discussion group and delete other peoples' bulletins, even if they are not the group leader, he said.
A MySpace representative said late Wednesday she was looking into the matter.
Source: ZDNet Australia
All news for October, 2008
All news for 2008 year
All news for 2007 year
All news for 2006 year
All news for 2005 year
All news for 2004 year
DONATION: Keylogger.org is an independent research
project supported by a team of enthusiasts. If you find this
project useful or would like to help foster its continued
development please consider making a donation using PayPal`s
online secure payment service. A PayPal account is not required.
All major credit cards are accepted (MasterCard/Eurocard,
Visa/Delta/Electron, American Express, Switch/Maestro, Solo).
Simply click the button below.
Any amount would be useful and appreciated!
Thanks in advance for your support!
|
