Facebook privacy flap should spark concern for business

Share this article:

A security and privacy breach that made personal Facebook photos available to unwelcome visitors could have had real consequences for businesses, experts said.

The hack, by a Vancouver computer technician, circumvented a March 18 upgrade to Facebook's privacy controls. The technician, Byron Ng, began investigating security weaknesses last week after Facebook unveiled new ways for its members to restrict access to their personal profiles.

Among the new privacy features deployed was a "friends of friends" privacy option that allows Facebook users to share information only via connected friends. The upgrade also gave Facebook users the ability to share and restrict information based on specific friends or friend lists, augmenting a feature added in December that permits users to communicate by choosing what information is shared with certain groups of people.

But Ng's hack of the system found a work-around that allowed him to access the most recent pictures posted by Facebook members and their friends, even though they had set their privacy settings to restrict access to a limited group.

A representative from Facebook said the problem has been fixed.

"Our engineers tested the scenario, found that it was a bug and fixed it immediately," a Facebook spokeswoman told SCMagazineUS.com. "We take privacy very seriously and continue to make enhancements to the site.

The hack shows that enterprises that allow their employees to visit social networking sites such as Facebook could find their security jeopardized, Kevin Haley, director of product management for Symantec's security response team, told SCMagazineUS.com.

Too often, he said, end-users put "information about work, information about who they are, where they work, who they work with and information the corporation may not want available" on social networking sites.

"If I was looking to target an organization, it would be useful to know which people worked where, to find out personal information about them," he said.

Armed with that information, it would not be difficult to perpetrate a social engineering attack.

"Hopefully, no one is posting photos of latest product design or blueprints of a jet fighter," he said.

The fact that security problems continue to plague the social networking sites is an indication of growing pains, Haley said.
"To Facebook's credit, it's trying to create the ability for users to post private information available to certain people only, and it's to their credit they resolved the issue quickly," he said.

Enterprises should develop policies for accessing social networking sites, he said. They can either ban access to them or educate their end-users on how to access them safely.

Ng was able to uncover private pictures of Paris Hilton and her brother, Barron, partying at the Emmy Awards. In the past, Ng has discovered unpublished pages of the latest "Harry Potter" book on a peer-to-peer network.

Share this article:

Sign up to our newsletters

More in News

DDoS attacks remain up, stronger in Q2, report says

DDoS attacks remain up, stronger in Q2, report ...

Prolexic's second quarter DDoS report noted the proliferation of shorter attacks that ate up more bandwidth.

Superman soars above fellow superheroes as most toxic search term

A McAfee study found that searches pertaining to Superman exposed users to the most infected websites.

Black Hat talk on Tor weaknesses canceled

Black Hat organizers say legal counsel for the Software Engineering Institute and Carnegie Mellon University nixed the session.