Security Flaws Leave Egg On Face(book)

Two privacy flaws in Facebook were quickly patched Wednesday, but for security experts the breaches are just signs of what may be chronic problems with the social network’s ability to preserve the sensitive data of its more than 400 million members.

The flaws were linked to a feature that’s part of Facebook’s new — and controversial — privacy settings. The preview feature allows users to toggle off and on changes they make in their privacy options for the system. It contributed to the flaws which enabled a user’s private chats to viewed by all his or her friends and for a user’s friends to see all his or her pending friend requests.

“For a limited period of time, a bug permitted some users’ chat messages and pending friend requests to be made visible to their friends by manipulating the ‘preview my profile’ feature of Facebook privacy settings,” reads a company statement.

“When we received reports of the problem, our engineers promptly diagnosed it and temporarily disabled the chat function,” the statement continued. “We also pushed out a fix to take care of the visible friend requests which is now complete. Chat is now back up and running.”

“We worked quickly to resolve this matter, ensuring that once the bug was reported to us, a solution was quickly found and implemented,” it added.

Congress Weighs In

The recent changes in Facebook’s privacy policy have been criticized from a number of quarters, including the U.S. Congress. Just last week, four Democratic senators — Charles E. Schumer of New York, Michael Bennet of Colorado, Mark Begich of Arkansas and Al Franken of Minnesota — fired off a letter expressing their concern about the changes to the CEO of Facebook, Mark Zuckerberg.

“While Facebook provides a valuable service to users by keeping them connected with friends and family and reconnecting them with long-lost friends and colleagues, the expansion of Facebook — both in the number of users and applications — raises new concerns for users who want to maintain control over their information,” the senators wrote.

Concerns cited by the solons were the expansion of publicly available information about Facebook members, removal of time limits on third-party storage of member information and broadening of access to member’s data by third parties through the new “instant personalization” feature.

“We look forward to the FTC examining this issue, but in the meantime we believe Facebook can take swift and productive steps to alleviate the concerns of its users,” the senators added. “Providing opt-in mechanisms for information sharing instead of expecting users to go through long and complicated opt-out processes is a critical step towards maintaining clarity and transparency.”

Even Geniuses Fallible

Facebook’s privacy scheme poses problems even for sophisticated users because the socnet constantly changes the playing field, according to Marian Merritt, an Internet safety advocate at security software maker Symantec. “If you’re somebody who’s trying to take privacy seriously, they do keep moving that target in a way that makes it very hard to keep up,” she told TechNewsWorld.

Many of the recent changes made by Facebook require members to opt out of features, when they should be opt-in, maintained Paul Reynolds, electronics editor at Consumers Reports. On the eve of the security snafu at Facebook, the magazine released a report that found, among other things, that 52 percent of consumers post risky information on social networks.

In addition, changing privacy settings can be difficult, Reynolds asserted. “You have to go pretty deep into a number of pages to get to the right controls,” he told TechNewsWorld. “They’re not as easy to access as maybe they should be.”

The flaws revealed yesterday suggest that members aren’t the only ones confused by changes at Facebook, contended Chester Wisniewski, a security analyst with security software maker Sophos. “I think they’ve made their own privacy ecosystem so complicated that even their own developers don’t understand the implications of the changes they’re making,” he told TechNewsWorld.

Facebook members looking for a respite from privacy breaches in the future will be disappointed, maintained Zeljka Zorz, the news editor at Net-Security.org. “I think this kind of thing will definitely continue to happen in the future, and not only to Facebook,” she told TechNewsWorld.

“When flaws in the code and its execution are concerned — and from the looks of it, it seems that this is what happened in this instance — it’s simply inevitable,” she noted. “People can be geniuses, but they are still people, i.e. fallible.”

1 Comment

  • I myself AM done with Facebook. Their is definitely a lack of concern by Facebook for protecting information. But even when you want to close your account. You have to make sure you delete your account! Even then I AM not so sure that your personal information will ever be gone.This is very disturbing and even though I now a lot of people seem addicted to Facebook. They would be wise to rethink what information they post there.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Security

CRM Buyer Channels