Facebook privacy flap should spark concern for business

Share this article:

A security and privacy breach that made personal Facebook photos available to unwelcome visitors could have had real consequences for businesses, experts said.

The hack, by a Vancouver computer technician, circumvented a March 18 upgrade to Facebook's privacy controls. The technician, Byron Ng, began investigating security weaknesses last week after Facebook unveiled new ways for its members to restrict access to their personal profiles.

Among the new privacy features deployed was a "friends of friends" privacy option that allows Facebook users to share information only via connected friends. The upgrade also gave Facebook users the ability to share and restrict information based on specific friends or friend lists, augmenting a feature added in December that permits users to communicate by choosing what information is shared with certain groups of people.

But Ng's hack of the system found a work-around that allowed him to access the most recent pictures posted by Facebook members and their friends, even though they had set their privacy settings to restrict access to a limited group.

A representative from Facebook said the problem has been fixed.

"Our engineers tested the scenario, found that it was a bug and fixed it immediately," a Facebook spokeswoman told SCMagazineUS.com. "We take privacy very seriously and continue to make enhancements to the site.

The hack shows that enterprises that allow their employees to visit social networking sites such as Facebook could find their security jeopardized, Kevin Haley, director of product management for Symantec's security response team, told SCMagazineUS.com.

Too often, he said, end-users put "information about work, information about who they are, where they work, who they work with and information the corporation may not want available" on social networking sites.

"If I was looking to target an organization, it would be useful to know which people worked where, to find out personal information about them," he said.

Armed with that information, it would not be difficult to perpetrate a social engineering attack.

"Hopefully, no one is posting photos of latest product design or blueprints of a jet fighter," he said.

The fact that security problems continue to plague the social networking sites is an indication of growing pains, Haley said.
"To Facebook's credit, it's trying to create the ability for users to post private information available to certain people only, and it's to their credit they resolved the issue quickly," he said.

Enterprises should develop policies for accessing social networking sites, he said. They can either ban access to them or educate their end-users on how to access them safely.

Ng was able to uncover private pictures of Paris Hilton and her brother, Barron, partying at the Emmy Awards. In the past, Ng has discovered unpublished pages of the latest "Harry Potter" book on a peer-to-peer network.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters


More in News

Information sharing requires breaking down barriers, White House cyber guru says

Information sharing requires breaking down barriers, White House ...

The White House has advanced an agenda to promote and facilitate information sharing on security threats and vulnerabilities.

Worm variant of Android ransomware, Koler, spreads via SMS

Worm variant of Android ransomware, Koler, spreads via ...

Upon infection, the Koler variant will send an SMS message to all contacts in the device's address book.

Patch for Windows flaw can be bypassed, prompts temporary fix from Microsoft

Patch for Windows flaw can be bypassed, prompts ...

The Windows zero-day received a patch last week, but the fix can still be bypassed by crafty attackers.