The hack, by a Vancouver computer technician, circumvented a March 18 upgrade to Facebook's privacy controls. The technician, Byron Ng, began investigating security weaknesses last week after Facebook unveiled new ways for its members to restrict access to their personal profiles.
Among the new privacy features deployed was a "friends of friends" privacy option that allows Facebook users to share information only via connected friends. The upgrade also gave Facebook users the ability to share and restrict information based on specific friends or friend lists, augmenting a feature added in December that permits users to communicate by choosing what information is shared with certain groups of people.
But Ng's hack of the system found a work-around that allowed him to access the most recent pictures posted by Facebook members and their friends, even though they had set their privacy settings to restrict access to a limited group.
A representative from Facebook said the problem has been fixed.
"Our engineers tested the scenario, found that it was a bug and fixed it immediately," a Facebook spokeswoman told SCMagazineUS.com. "We take privacy very seriously and continue to make enhancements to the site.
The hack shows that enterprises that allow their employees to visit social networking sites such as Facebook could find their security jeopardised, Kevin Haley, director of product management for Symantec's security response team, told SCMagazineUS.com.
Too often, he said, end-users put "information about work, information about who they are, where they work, who they work with and information the corporation may not want available" on social networking sites.
"If I was looking to target an organisation, it would be useful to know which people worked where, to find out personal information about them," he said.
Armed with that information, it would not be difficult to perpetrate a social engineering attack.
"Hopefully, no one is posting photos of latest product design or blueprints of a jet fighter," he said.
The fact that security problems continue to plague the social networking sites is an indication of growing pains, Haley said.
"To Facebook's credit, it's trying to create the ability for users to post private information available to certain people only, and it's to their credit they resolved the issue quickly," he said.
Enterprises should develop policies for accessing social networking sites, he said. They can either ban access to them or educate their end-users on how to access them safely.
Ng was able to uncover private pictures of Paris Hilton and her brother, Barron, partying at the Emmy Awards. In the past, Ng has discovered unpublished pages of the latest "Harry Potter" book on a peer-to-peer network.
See original article on scmagazineus.com
Facebook privacy flap should spark concern for business
By Jim Carr on Mar 27, 2008 10:03AM