My Spanish colleague Josep Albors has also commented on recent Facebook security issues. Mistakes in translation and interpretation are, as always, mine.
The world's largest social network is a nearly inexhaustible news source: not only because it has reached 500 million users, or because it's the subject of a forthcoming film. It is also making news because of continuing incidents affecting the security and privacy of its users. The two most recent are the leaking of personal information of more than 100 million users (see also David Harley's blog here [http://blog.eset.com/2010/07/29/facebook-losing-more-than-face]), and the replacement of keywords by other highly impolite wording. As our colleague Sebastián Bortnik of ESET Latin America has posted, these incidents have been widely reported using imprecise terms such as hackers or "hackarillistas".
The leakage of the personal information belonging to more than 100 million unique users was not the work of an experienced hacker. illegally accessing Facebook servers to steal information. The reality was much less dramatic. Ron Bowes (researcher at the Skull Security company) was the architect of this feat, with the help of a simple application that tracked all profiles with public information on Facebook, and compiled them into a file.
Subsequently, this researcher made these data available to anyone who wanted to download them as a 2.79GB torrent file containing all the information he had collected. It probably can't be described as illegal, since he merely automated a process that anyone can reproduce by visiting user profiles. So this is less about these data having been exposed to prying eyes by this researcher, or even by Facebook, than it is about the users themselves exposing data that should have been hidden using stricter privacy settings on social networks.
Another incident concerned the words used by default in the Spanish version of Facebook to define a status in terms of "I like…" or "today is the birthday of…" Many of these words and phrases were replaced by other less appropriate phrases in Turkish, which seems to indicate the origin of the users who instigated this incident. This was not achieved by attacking Facebook servers using "hacking" techniques. The attack merely used the feature which changes the translation used by another if it is suggested by a certain number of people. So it was only necessary for that number of users to agree to propose the same translation and Facebook changed it automatically.
In summary, these are two incidents on Facebook with a fairly high media impact, but having less to do with using illegal penetration techniques or malicious code attacks than with the automated scraping of public information and use of an automated social networking feature.
The ESET laboratory at Ontinet.com recommends that Facebook users think twice before publishing sensitive information in their profiles: consider first whether it is really necessary, and secondly if you have set appropriate privacy settings.
Thanks, Josep. I still think there are issues as regards (a) Ron Bowes and his ethics (b) Facebook's less than optimally secure defaults, though.
David Harley CITP FBCS CISSP
ESET Senior Research Fellow
Author David Harley, We Live Security