Risk
10/18/2010
01:35 PM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

Facebook Apps Found Sharing User IDs

The social networking site says media reports exaggerate the privacy risks.

All of the ten most popular apps on Facebook have been found sharing Facebook members' user ID numbers (UIDs) with outside companies and three of the top ten Facebook apps, including Farmville, shared information about users' friends, too.

The privacy breach was discovered as a result of an investigation by the Wall Street Journal, which published its findings on Monday.

The issue affects tens of millions of Facebook users, even those who have the strictest possible privacy settings. According to the Wall Street Journal's report, the apps reviewed were found to be sending Facebook UIDs to at least 25 data collection and advertising firms.

In a post to its developer blog on Sunday evening, Facebook downplayed the privacy impact, even as it promised to take action.

"Press reports have exaggerated the implications of sharing a UID," wrote Facebook engineer Mike Vernal. "Knowledge of a UID does not enable anyone to access private user information without explicit user consent. Nevertheless, we are committed to ensuring that even the inadvertent passing of UIDs is prevented and all applications are in compliance with our policy."

Vernal said that in most cases, Facebook developers did not intend to pass UIDs to third-parties, but did so because of the way Web browsers have traditionally worked.

Disciplinary action against Facebook developers so far has been mild. The company blocked access to games made by Lolapps on Friday, but restored access shortly thereafter.

The issue has to do with "Referer URL" data, which a Web browser will generally transmit to a Web server when a user requests a Web page. The Referer URL (yes, it's misspelled) shows the URL of the Web page that referred the user, by way of a Web link, to the page being requested. This can reveal potentially sensitive information about the user, depending upon the content of the referring Web site.

Because UID numbers can be used to determine a Facebook user's name and possibly other information, this presents a potential privacy risk.

RapLeaf, one of the advertising data companies named in the Wall Street Journal report, said it had looked into the problem, which it characterized as inadvertent, and addressed it.

"When we discovered that Facebook IDs were being passed to ad networks by applications that we work with, we immediately researched the cause and implemented a solution to cease the transmissions," the company said in a blog post.

Among the Facebook users commenting on Facebook's insistence that UID transmission was mostly accidental, some expressed skepticism. "Each and every step that Facebook has taken has brought security and privacy back two steps," wrote Michael Callaghan in a comment on Facebook's developer blog.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6335
Published: 2014-08-26
The Backup-Archive client in IBM Tivoli Storage Manager (TSM) for Space Management 5.x and 6.x before 6.2.5.3, 6.3.x before 6.3.2, 6.4.x before 6.4.2, and 7.1.x before 7.1.0.3 on Linux and AIX, and 5.x and 6.x before 6.1.5.6 on Solaris and HP-UX, does not preserve file permissions across backup and ...

CVE-2014-0480
Published: 2014-08-26
The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attackers to conduct phishing attacks via a // (slash slash) in a URL, which triggers a scheme-relative URL ...

CVE-2014-0481
Published: 2014-08-26
The default configuration for the file upload handling system in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 uses a sequential file name generation process when a file with a conflicting name is uploaded, which allows remote attackers to cause a d...

CVE-2014-0482
Published: 2014-08-26
The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors relate...

CVE-2014-0483
Published: 2014-08-26
The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field ...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.