Risk
10/18/2010
01:35 PM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

Facebook Apps Found Sharing User IDs

The social networking site says media reports exaggerate the privacy risks.

All of the ten most popular apps on Facebook have been found sharing Facebook members' user ID numbers (UIDs) with outside companies and three of the top ten Facebook apps, including Farmville, shared information about users' friends, too.

The privacy breach was discovered as a result of an investigation by the Wall Street Journal, which published its findings on Monday.

The issue affects tens of millions of Facebook users, even those who have the strictest possible privacy settings. According to the Wall Street Journal's report, the apps reviewed were found to be sending Facebook UIDs to at least 25 data collection and advertising firms.

In a post to its developer blog on Sunday evening, Facebook downplayed the privacy impact, even as it promised to take action.

"Press reports have exaggerated the implications of sharing a UID," wrote Facebook engineer Mike Vernal. "Knowledge of a UID does not enable anyone to access private user information without explicit user consent. Nevertheless, we are committed to ensuring that even the inadvertent passing of UIDs is prevented and all applications are in compliance with our policy."

Vernal said that in most cases, Facebook developers did not intend to pass UIDs to third-parties, but did so because of the way Web browsers have traditionally worked.

Disciplinary action against Facebook developers so far has been mild. The company blocked access to games made by Lolapps on Friday, but restored access shortly thereafter.

The issue has to do with "Referer URL" data, which a Web browser will generally transmit to a Web server when a user requests a Web page. The Referer URL (yes, it's misspelled) shows the URL of the Web page that referred the user, by way of a Web link, to the page being requested. This can reveal potentially sensitive information about the user, depending upon the content of the referring Web site.

Because UID numbers can be used to determine a Facebook user's name and possibly other information, this presents a potential privacy risk.

RapLeaf, one of the advertising data companies named in the Wall Street Journal report, said it had looked into the problem, which it characterized as inadvertent, and addressed it.

"When we discovered that Facebook IDs were being passed to ad networks by applications that we work with, we immediately researched the cause and implemented a solution to cease the transmissions," the company said in a blog post.

Among the Facebook users commenting on Facebook's insistence that UID transmission was mostly accidental, some expressed skepticism. "Each and every step that Facebook has taken has brought security and privacy back two steps," wrote Michael Callaghan in a comment on Facebook's developer blog.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-4231
Published: 2015-07-03
The Python interpreter in Cisco NX-OS 6.2(8a) on Nexus 7000 devices allows local users to bypass intended access restrictions and delete an arbitrary VDC's files by leveraging administrative privileges in one VDC, aka Bug ID CSCur08416.

CVE-2015-4232
Published: 2015-07-03
Cisco NX-OS 6.2(10) on Nexus and MDS 9000 devices allows local users to execute arbitrary OS commands by entering crafted tar parameters in the CLI, aka Bug ID CSCus44856.

CVE-2015-4234
Published: 2015-07-03
Cisco NX-OS 6.0(2) and 6.2(2) on Nexus devices has an improper OS configuration, which allows local users to obtain root access via unspecified input to the Python interpreter, aka Bug IDs CSCun02887, CSCur00115, and CSCur00127.

CVE-2015-4237
Published: 2015-07-03
The CLI parser in Cisco NX-OS 4.1(2)E1(1), 6.2(11b), 6.2(12), 7.2(0)ZZ(99.1), 7.2(0)ZZ(99.3), and 9.1(1)SV1(3.1.8) on Nexus devices allows local users to execute arbitrary OS commands via crafted characters in a filename, aka Bug IDs CSCuv08491, CSCuv08443, CSCuv08480, CSCuv08448, CSCuu99291, CSCuv0...

CVE-2015-4239
Published: 2015-07-03
Cisco Adaptive Security Appliance (ASA) Software 9.3(2.243) and 100.13(0.21) allows remote attackers to cause a denial of service (device reload) by sending crafted OSPFv2 packets on the local network, aka Bug ID CSCus84220.

Dark Reading Radio
Archived Dark Reading Radio
Marc Spitler, co-author of the Verizon DBIR will share some of the lesser-known but most intriguing tidbits from the massive report