Hackers Can Delete Facebook Friends, Thanks to Flaw
The flaw was reported Wednesday by Steven Abbagnaro, a student at Marist College in Poughkeepsie, New York. But as of Friday morning, Pacific time, it had still not been patched, based on tests conducted by the IDG News Service on a reporter's Facebook friends list.
A malicious hacker could combine an exploit for this bug with spam or even a self-copying worm code to wreak havoc on the social network, Abbagnaro said in an interview.
He's written proof-of-concept code that scrapes publicly available data from users' Facebook pages and then, one by one, deletes all of their friends. For the attack to work, however, the victim would first have to be tricked into clicking on a malicious link while logged into Facebook. "The next thing you know, you have no friends," Abbagnaro said.
The security researcher is not going to release the code used in his attack until after Facebook fixes the flaw, but he says that technically competent hackers could figure out how to pull off the attack.
That's because Abbagnaro's code exploits the same underlying flaw that was first reportedby M.J. Keith, a senior security analyst with Alert Logic.
Last week, Keith discovered that Facebook's Web site was not properly checking code sent by users' browsers to ensure that they were authorized to make changes on the site.
Called a cross-site request forgery bug, the flaw is a common Web programming error, but Facebook has had a hard time eradicating it from the site. After Keith first reported the issue, Facebook thought it had fixed the problem, only to discover that it could still be exploited to make users "like" Facebook pages without their consent.
Similarly, Facebook appears to have missed Abbagnaro's delete-friend vector as well.
"I am just blown away that this keeps happening," Keith said in an e-mail interview.
Facebook representatives couldn't immediately be reached for comment.
Facebook's security team has been under siege lately, with worm attacks and site flaws popping up on a regular basis. These security issues come as the social network has been hit with intense criticism for not adequately protecting users' privacy, and inappropriately sharing user data with advertisers.
Users have been quitting the social network and a campaign proclaiming May 31 as Quit Facebook Day has gained some traction.
Despite all of its other problems, Facebook should have fixed this latest flaw by now, Abbagnaro said. "I'm not sure why they haven't fixed it yet because it is pretty serious."
Robert McMillan can be reached at firstname.lastname@example.org. He is on Twitter at:http://twitter.com/bobmcmillan
Facebook page tied to Pakistan ban back up
Facebook working on 'simple' privacy settings
Facebook Fixes Bug That Allowed Friend Deletion
The flaw was reported Wednesday by Steven Abbagnaro, a student at Marist College in Poughkeepsie, New York. It was patched Friday afternoon, Pacific time, after the IDG News Service notified Facebook of the issue.
The bug was a variation of an earlier vulnerability that Facebook learned about last week, which affected a range of features on the Web site. Hackers could have leveraged Abbagnaro's bug to delete all of a victim's contacts, one by one, but it does not appear that anyone ever exploited it in a malicious way.
For Abbagnaro's attack to work, however, a user would have to have been tricked into clicking on a malicious Web link while still logged into Facebook.
Facebook has struggled this week to fix these bugs, which are called cross-site request forgery flaws. They exist because of relatively simple Web programming mistakes in the Web site's code, and security researchers have criticized Facebook for not fixing them more quickly.
"We're in the process of doing a full audit and are building additional protections for this type of potential attack across the code base," said Simon Axten, a Facebook spokesman, in a Friday e-mail interview. "We began working on this one as soon as we learned about it and pushed a fix early this afternoon."
Facebook fiasco used as weapon in California campaign
Securing your Facebook privacy settings
One wonders if Mark Zuckerberg and his fellow Facebook executives are wishing they could declare a do-over right about now, dating back to late April. That’s when Facebook held its developer summit and unveiled plans to make the social network even more ubiquitous on the Web—and that also raised a number of serious privacy concerns among Facebook users. Since then, Facebook has been the subject of what seems like a daily drumbeat of headlines about its privacy policies, whether it’s users quitting the social network service or pundits advocating for improved privacy rules.
The optimist in me hopes that the public uproar inspires Facebook’s management to spend less effort on spin and more on unraveling the Gordian Knot that is managing your privacy settings on the social network site. (It’s an oft-quoted tidbit, but this New York Times reportbears repeating: to completely manage your privacy on Facebook, you’ve got to manage 50 settings with more than 170 options. That seems… excessive.) Until Facebook lets up the requisite puff of white smoke to announce what came out of last week’s privacy summit, however, when it comes to making sure your Facebook information is only seen by the people you want to share it with, you’re still on your own.
Well, not entirely on your own—ReclaimPrivacy.org, a privacy awareness group, has developed a tool that scans your Facebook privacy settings to tell you how secure your data is. The tool is available in the form of a bookmarklet that you drag to the bookmarks bar of your Web browser. Then you head to Facebook’s privacy settings screen—ReclaimPrivacy.org helpfully provides a link—and click on the bookmark. After the tool scans your privacy settings in six areas—Facebook’s Instant Personalization feature; your personal data; contact information; friends, tags, and connections information; what your friends can share about you; and whether applications can leak your personal data—it tells you what areas are secure and where you may want to consider tweaking your settings.
Hold on a minute, the privacy-focused among you might be saying: How do I know that ReclaimPrivacy.org will respect my privacy. The Website says it never sees your Facebook data nor does it share your personal information. It also publishes the source code for its scanning tool in the name of transparency.
I used the ReclaimPrivacy.org tool on my own Facebook account to see how it worked, testing it both on Safari 4 and Firefox 3.6. Running the scanner takes just a few seconds, and I got a green Secure label for Instant Personalization, as well as preventing friends and applications from inadvertently sharing my data. Three areas were flagged with a yellow caution label—my personal information, contact information, and friends, tags, and connections data. (According to reports elsewhere on the Internet, there’s a third label—a red “insecure” flag. That one didn’t appear in my tests, which I guess is a sign that my paranoia and distrust of my fellow man is good for something.)
The ReclaimPrivacy.org tool provides helpful links for adjusting any settings it flags as problematic. To secure my personal information, I clicked on the supplied link and altered my biographical info so that only my Facebook friends could see it. Hitting the rescan button brought up a green secure label for my personal information.
Securing my contact information and friends, tags, and connections data proved more problematic. I’ve set my Facebook preferences to allow anyone to add me as a friend or send me a message. That apparently raises a caution flag for ReclaimPrivacy.org, though it’s one I’m willing to live with. (What’s the point of being on a social network only to make it difficult for people to find you? Besides, I figure I can ignore any friend requests or messages that strike me as hinky.) As for friends, tags, and connections, I can only guess that ReclaimPrivacy is concerned that I’ve made my hometown, education, and work info visible to anyone. (No one must ever know that Philip Michaels is employed by Macworld!) While I can understand that some Facebook users may not want to share that specific data, I’m fine with having it out there just as I’m fine with ReclaimPrivacy.org letting me know that I may want to rethink that stance if I want to be completely secure.
There’s one thing about the ReclaimPrivacy.org tool that struck me as curious: When I scanned my Facebook settings in Firefox, I got the all clear on everything—even the categories still flagged with a yellow Caution label in Safari. My takeaway message? As helpful as the ReclaimPrivacy.org tool is—and it is very helpful—it’s not a silver bullet for every privacy concern you’ll have on Facebook. The best weapon you have is still your own common sense—though a little clarity from Facebook itself would be welcome, too.
Facebook Page Banned by Pakistan Is Back Online
The Facebook page that led the Pakistan government to ban the entire site was back online Saturday, at least for some users, after it was inaccessible for about two days.
The page was removed Thursday after one of the moderators had his e-mail and Skype account hacked into, and his personal data revealed, according to a post on the page on Saturday. The moderator then got scared and deleted the page, a blog, and e-mails, according to the post.
"This is another scare tactic from the Islamic extremists," the post said. "We won't fall," it added. The moderator who removed the page has however backed out, according to the post.
The page had over 108,000 fans and over 11,700 photos posted on Saturday. Though the Facebook users who created the page put it back up Saturday, some users in India were able to access it for only a brief time before their access was once again blocked. Meanwhile access to Facebook as a whole continues to be blocked in Pakistan.
The page "Everybody draw Mohammed Day!" invites users to post caricatures of Prophet Mohammed, which led a court in Pakistan to order the site to be blocked.
There were also a large number of protests on the streets of Pakistan on Wednesday and Thursday, objecting to the page.
The Pakistan Telecommunication Authority (PTA) on Wednesday ordered operators to block Facebook on Wednesday until further orders. It also ordered YouTube to be blocked on Thursday for displaying "sacrilegious" content. It said it had also blocked over 450 links on the Internet that contained derogatory material.
"Facebook has not taken any action on this page," a spokeswoman for the company said earlier on Saturday. The company had said on Thursday that it would not rule out making the content that Pakistan objected to inaccessible to users in Pakistan.
When dealing with user-generated content on global Web sites, there are occasions where content that is illegal in one country is not, or may even be protected, in another, Facebook said on Thursday. Most companies, including Facebook, approach this issue by preventing certain content from being shown to users in the countries where it is illegal, it added.
The PTA has said it would welcome contact from Facebook and YouTube to resolve the issue.
And now, a Facebook for kids under 13
It’s free to join, and kids’ accounts must be created by their parents using their own Facebook logins. Parents can approve or reject their children’s friends and see what activities or games their kids are up to.
Kids have separate logins to Togetherville, and the site looks different depending on whether a parent or a child is logged in. For kids, there are games, prescreened YouTube videos and other activities, such as educational applications, but no ads.
There are even Facebook-style status updates, called “quips,” with a twist: kids choose from a preselected menu of updates, which change daily. Dhillon says that’s because when given a blank space to type in, kids tend to either write gibberish or get stumped by to say. But if they want to, they can send in their own “quips” for approval.
Best Buy to offer online movies
Best Buy Co. is about to give its customers one less reason to buy DVDs.
The largest U.S. consumer electronics retailer said Tuesday that it will start renting and selling the latest video releases over high-speed Internet connections by the end of this month. It will compete against an array of other similar services offered by Amazon.com Inc., Netflix Inc. and Apple Inc.
Rentals are expected to cost about $4 per title, and movies to own will cost about $15.
Cellular customer satisfaction grows
Consumers are more satisfied than ever with their cell phone service, according to a new survey.
The American Customer Satisfaction Index for cell phone service was 72 on a 100-point scale in the first quarter this year. That rose three points from last year and is the highest grade since the survey started looking at wireless in 2004.
Facebook divides civil society in Pakistan
ISLAMABAD: When hundreds of Pakistanis are protesting against social networking websites Facebook and Youtube for carrying the caricatures of Prophet Mohammed Peace Be Upon Him, there are many in this conservative Muslim country who oppose the decision of banning these sites and believe in tackling this situation by adopting counter measures.
Protesters in major cities of Pakistan Karachi, Lahore, Islamabad, Rawalpindi, Multan and Peshawar spent last Friday shouting "Death to Facebook", "Death to America" and burnt US flags.
But surprisingly and in contrast with the past, the religious leadership, which organized the processions, could not attract big gatherings for the protests.
Around 4,000 people came in the streets to protest against the facebook and Youtube in Karachi, 3,000 turned up in Lahore, around 500 gathered in Multan, up to 400 appeared in Rawalpindi and Islamabad and 250 showed up in North-Western City of Peshawar. In Lahore, protesters burnt US, Norway, Sweden and Denmark flags. In Karachi, Islamabad, Rawalpindi, Multan and Peshawar, people blocked main roads and shouted death to face book, America and Western Media, which humiliated the holly prophet.
"We have to show unity in this war of the present time," remarked Farid Ahmed Paracha, a central leader of main opposition religious party Jamaat-e-Islami. "We should tell America that this is the final battle and we are ready to win it," he told the gathering in Lahore.
"This facebook and Youtube are being used negatively against Muslims and to humiliate our holly prophet, we warn USA and the whole west they should avoid such practice otherwise a new war will start," said Mirza Hassan, a college student in Rawalpindi.
The Pakistan Telecommunications Authority (PTA) also restricted more than 450 links besides completely banning Facebook and YouTube after a court decision for restricting all Internet sites carrying blasphemous material.
But there are also many people who think that protesting against such acts was not a right way to handle this situation.
"What will be impact on facebook, USA, and the west if we block our own roads and create a panic in our own country? We should simply accept their offence and prepare ourselves to beat them technically in all the areas," said Hasan Nasir, a young computer engineer.
A debate has also been started among the members of civil society discussing the justification of ban. Hundreds of e-mails have been generated on the popular e-mail groups including the media groups to argue for or against this ban.
"We always turn up for non-issues. This is true that they have hurt us, but halting the life in our own country satisfies their aims. We should openly face this and try to respond it by concentrating on our jobs and taking our Muslim Ummah up to their level in economic and social departments. Then we should leave them behind in all other departments and take our sweet revenge," said Mubarak Ahmed, operator at an international call center.
"My Prophet is above all these things and criticism. His personality is far above of all of this. I don't care who is making what kind of caricatures of him. He is blessing for the whole world and I love him from the core of my heart. His blessings are for the entire world and his critics will meet their destiny on the doomsday, me or anybody else has no need to worry," commented Tariq Zia, social officer at a local NGO.
Like this? Lee DeWyze surpasses Crystal Bowersox in Facebook popularity
Crystal Bowersox continues to sharply lead fellow Idol top two contestant Lee DeWyze in overall mentions across the internet, one trend has emerged which suggests that Lee has in fact gained momentum heading into the season finale. On their latest official status updates on Idol’s official Facebook page, Lee leads Crystal nearly two to one in both the number of “Likes” from fans and in the number of comments: 9840 to 5797, and 3899 to 2122, respectively. So while the search results we unearthed earlier suggest that Crystal Bowersox has in fact been the frontrunner throughout the course of the season, today’s Facebook data suggests that Lee DeWyze is in fact rapidly gaining momentum. While voters at home will determine who will win with their telephones in Tuesday evening, voters on Facebook appear to be having their say in the mean time.
Microsoft Kin concerts lead fans on merry chase
Does Facebook know who you'll date next?
Why Your Business Should Not Abandon Facebook
Google has taken some of the privacy heat off of Facebook with the discovery that it has"accidentally" been intercepting and archiving wireless network communications around the world with its Google Street View cars, but Facebook isn't off the hook. In fact, new revelations about how Facebook and other social networking sites share information with advertisers enflame the situation further, and the privacy backlash against Facebook could have consequences for your business.
Does your business have a Facebook presence?PCWorld has a Facebook presence, as do I. McDonald's Microsoft, Taco Bell, Adobe, Apple and thousands of other companies have a Facebook presence. Some organizations, like Microsoft, have multiple Facebook profiles broken down by product groups or individual applications like Microsoft Office.
Many companies have online support forums, FAQs and other resources available, but Facebook provides an opportunity to engage customers where they are rather than expecting them to seek out your company. Establishing and maintaining a Facebook presence--or a Twitter account for that matter--allow the company to interact with customers on a more personal level and foster a sense of community and loyalty.
Of course, if there is a huge privacy backlash and systematic boycott of Facebook, it would reduce the value of Facebook as a marketing or customer relations platform. According to a survey from Sophos, a security software and services vendor, as much as two-thirds of Facebook users are considering deactivating or deleting their Facebook account as a result of privacy concerns.
Like all surveys, though, you have to take this one with a grain of salt. Sophos surveyed fewer than 1600 out of more than 400 million Facebook users, and by virtue of being connected with Sophos in the first place those surveyed users are arguably more likely to be aware of, and concerned about privacy and security issues. Suffice it to say that the survey is not very scientific, and most likely not indicative of the broader reality of Facebook.
The truth is that as the media has focused intense attention on the privacy issues, and a vocal minority is organizing boycotts and "mass" Facebook defections, membership has still been on the rise. The current privacy fiasco is a big deal, but just variations on a recurring theme for Facebook which has faced repeated privacy concerns and user "backlashes" and grown larger and more powerful every time.
With the latest round of Facebook moving the line in the sand and automatically opting users in to new and exciting ways of sharing information that they may not have wished to share, and the revelations of data being shared with advertisers contrary to policy, there are some reasons to be concerned. The company or community page you established in order to have a Facebook presence could be distributed, or misappropriated in ways you did not intend or approve. The message you targeted for your Facebook community could possibly now be shared elsewhere throughout the Internet.
Facebook is out of line in launching new services and changing the rules without warning, and it is out of line for not making any change that affects the way personal data is shared or distributed opt-in by default. But, in the end the social networking site will most likely continue to grow its membership despite any boycotts and defections, and it still represents a fertile and valuable arena for engaging customers and building relationships to establish and expand your brand recognition.
Don't follow the vocal minority and jump ship just yet. It's not sinking--its going full steam ahead with or without you.
The ConnectU cofounders are arguing that Facebook executives and lawyers presented the cash-and-stock offer's value as $65 million, relying on a valuation of $15 billion that Microsoft paid in 2007 when buying preferred shares in the company. The settlement, however, was to be paid in common shares, not preferred shares, which Facebook itself valued at roughly 75 percent less for the purposes of calculating taxes on stock-based compensation -- cutting the settlement's offer roughly in half.