BBC Exposes Serious Facebook Privacy Flaw

The BBC's technology programme Click has exposed a security flaw in the social networking site Facebook which could compromise privacy.

Using a simple malicious application could open up yourself and your friends (who do not need to install the application) to ID fraud. The BBC has compiled a video to demonstrate the flaw and if you are an avid Facebook user I suggest you watch it and take note. It's not clear whether the techniques described by the BBC are currently in use on Facebook but if one of your friends only has to add the application and this opens your Facebook profile up this is a serious flaw.

Video: >> Click here <<
View: BBC News Article

Report a problem with article
Previous Story

Neowin Give-away: 31 Days of the Dragon

Next Story

Microsoft Fails to Reach Decision on Yahoo Takeover

29 Comments

View more comments

Yes we know about that Justin but by default those options are enabled so for most users that don't go into these privacy settings this is a huge issue.

Biased? Hardly. It's a serious vulnerability because a user doesn't have to use the malicious application and by default users are at risk. In order to protect yourself you basically have to cut off access to lots of features that break other applications, hence few users will change the settings.

To be honest.

I'm sure it will be quite easy to create an application that can do this...

Moral of the story - Don't put personal information on facebook

I put my address and credit card details on Facebook, so if I lose my card my friends know whose it is. Does this mean ANYONE can see it?!

The moral is that common sense should always prevail. If you don't give your personla details out to a total stranger, why would you put them on an unsecured web server?

It's NOT a flaw.

You agree to grant the application access to this information when you add it.

Just the BBC being paranoid about data theft again.

wasnt the whole point that if your friends are idiotic enough to allow the application data then you are at risk:

Even if your security settings are tight (mine are), my profile is still set to allow my friends to see my info. Therefore, if an idiot friend of mine grants an application what are essentially admin rights on his / her profile, then that app can see all the information that that person's profile has access to - i.e. presumably my profile.

Unless I'm misunderstanding - I only skimmed the article.

(macf13nd said @ #6.1)
wasnt the whole point that if your friends are idiotic enough to allow the application data then you are at risk:

Even if your security settings are tight (mine are), my profile is still set to allow my friends to see my info. Therefore, if an idiot friend of mine grants an application what are essentially admin rights on his / her profile, then that app can see all the information that that person's profile has access to - i.e. presumably my profile.

Unless I'm misunderstanding - I only skimmed the article.

your understanding is correct, it's Lt-DavidW who isn't understanding.

Why would anyone put information on Facebook that's worth stealing in the first place anyway? I have name, sex, hometown and relationship status. Applications are bloody annoying anyway.

What do they mean the bloated broadcasting corporation saying they discovered a serious flaw or flaws?

I thought most of us knew this already! LMAO @BBC

(neufuse said @ #14)
What happened to the days when the BBC was a good news organization?

When people allow applications to use that personal info, they don't assume it's being harvested for anything other than the game. So the privacy flaw is a deception. jmo

yeah i saw this one earlier

i encourage you guys to do what you think is want. i think that facebook is a big social thing nowadays, and a lot of people in certain demographics seem to use it.

i think at the end of the day, people on these networks really care about themselves and on occasion a few people they kind "follow" around.

call me a rebel rouser, but I'd like to see the day where people login one day to see the latest 10 profile views on their page. people would be in effect, caught "peeping" and feel utterly humiliated by the feeble and pathetic basis of the site. this is why myspace was so quick to stunt this. everyone wants to know who views their profile, but not the other way around.

these are people who know each other in real life, but much of the peeping happens between the weaker IRL ties. who is peepin your profile?

Commenting is disabled on this article.