Risk
10/18/2010
01:35 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Facebook Apps Found Sharing User IDs

The social networking site says media reports exaggerate the privacy risks.

All of the ten most popular apps on Facebook have been found sharing Facebook members' user ID numbers (UIDs) with outside companies and three of the top ten Facebook apps, including Farmville, shared information about users' friends, too.

The privacy breach was discovered as a result of an investigation by the Wall Street Journal, which published its findings on Monday.

The issue affects tens of millions of Facebook users, even those who have the strictest possible privacy settings. According to the Wall Street Journal's report, the apps reviewed were found to be sending Facebook UIDs to at least 25 data collection and advertising firms.

In a post to its developer blog on Sunday evening, Facebook downplayed the privacy impact, even as it promised to take action.

"Press reports have exaggerated the implications of sharing a UID," wrote Facebook engineer Mike Vernal. "Knowledge of a UID does not enable anyone to access private user information without explicit user consent. Nevertheless, we are committed to ensuring that even the inadvertent passing of UIDs is prevented and all applications are in compliance with our policy."

Vernal said that in most cases, Facebook developers did not intend to pass UIDs to third-parties, but did so because of the way Web browsers have traditionally worked.

Disciplinary action against Facebook developers so far has been mild. The company blocked access to games made by Lolapps on Friday, but restored access shortly thereafter.

The issue has to do with "Referer URL" data, which a Web browser will generally transmit to a Web server when a user requests a Web page. The Referer URL (yes, it's misspelled) shows the URL of the Web page that referred the user, by way of a Web link, to the page being requested. This can reveal potentially sensitive information about the user, depending upon the content of the referring Web site.

Because UID numbers can be used to determine a Facebook user's name and possibly other information, this presents a potential privacy risk.

RapLeaf, one of the advertising data companies named in the Wall Street Journal report, said it had looked into the problem, which it characterized as inadvertent, and addressed it.

"When we discovered that Facebook IDs were being passed to ad networks by applications that we work with, we immediately researched the cause and implemented a solution to cease the transmissions," the company said in a blog post.

Among the Facebook users commenting on Facebook's insistence that UID transmission was mostly accidental, some expressed skepticism. "Each and every step that Facebook has taken has brought security and privacy back two steps," wrote Michael Callaghan in a comment on Facebook's developer blog.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7392
Published: 2014-07-22
Gitlist allows remote attackers to execute arbitrary commands via shell metacharacters in a file name to Source/.

CVE-2014-2385
Published: 2014-07-22
Multiple cross-site scripting (XSS) vulnerabilities in the web UI in Sophos Anti-Virus for Linux before 9.6.1 allow local users to inject arbitrary web script or HTML via the (1) newListList:ExcludeFileOnExpression, (2) newListList:ExcludeFilesystems, or (3) newListList:ExcludeMountPaths parameter t...

CVE-2014-3518
Published: 2014-07-22
jmx-remoting.sar in JBoss Remoting, as used in Red Hat JBoss Enterprise Application Platform (JEAP) 5.2.0, Red Hat JBoss BRMS 5.3.1, Red Hat JBoss Portal Platform 5.2.2, and Red Hat JBoss SOA Platform 5.3.1, does not properly implement the JSR 160 specification, which allows remote attackers to exec...

CVE-2014-3530
Published: 2014-07-22
The org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory method in PicketLink, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 5.2.0 and 6.2.4, expands entity references, which allows remote attackers to read arbitrary code and possibly have other unspecified impact via...

CVE-2014-4326
Published: 2014-07-22
Elasticsearch Logstash 1.0.14 through 1.4.x before 1.4.2 allows remote attackers to execute arbitrary commands via a crafted event in (1) zabbix.rb or (2) nagios_nsca.rb in outputs/.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Where do information security startups come from? More important, how can I tell a good one from a flash in the pan? Learn how to separate ITSec wheat from chaff in this episode.