Risk
10/18/2010
01:35 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Facebook Apps Found Sharing User IDs

The social networking site says media reports exaggerate the privacy risks.

All of the ten most popular apps on Facebook have been found sharing Facebook members' user ID numbers (UIDs) with outside companies and three of the top ten Facebook apps, including Farmville, shared information about users' friends, too.

The privacy breach was discovered as a result of an investigation by the Wall Street Journal, which published its findings on Monday.

The issue affects tens of millions of Facebook users, even those who have the strictest possible privacy settings. According to the Wall Street Journal's report, the apps reviewed were found to be sending Facebook UIDs to at least 25 data collection and advertising firms.

In a post to its developer blog on Sunday evening, Facebook downplayed the privacy impact, even as it promised to take action.

"Press reports have exaggerated the implications of sharing a UID," wrote Facebook engineer Mike Vernal. "Knowledge of a UID does not enable anyone to access private user information without explicit user consent. Nevertheless, we are committed to ensuring that even the inadvertent passing of UIDs is prevented and all applications are in compliance with our policy."

Vernal said that in most cases, Facebook developers did not intend to pass UIDs to third-parties, but did so because of the way Web browsers have traditionally worked.

Disciplinary action against Facebook developers so far has been mild. The company blocked access to games made by Lolapps on Friday, but restored access shortly thereafter.

The issue has to do with "Referer URL" data, which a Web browser will generally transmit to a Web server when a user requests a Web page. The Referer URL (yes, it's misspelled) shows the URL of the Web page that referred the user, by way of a Web link, to the page being requested. This can reveal potentially sensitive information about the user, depending upon the content of the referring Web site.

Because UID numbers can be used to determine a Facebook user's name and possibly other information, this presents a potential privacy risk.

RapLeaf, one of the advertising data companies named in the Wall Street Journal report, said it had looked into the problem, which it characterized as inadvertent, and addressed it.

"When we discovered that Facebook IDs were being passed to ad networks by applications that we work with, we immediately researched the cause and implemented a solution to cease the transmissions," the company said in a blog post.

Among the Facebook users commenting on Facebook's insistence that UID transmission was mostly accidental, some expressed skepticism. "Each and every step that Facebook has taken has brought security and privacy back two steps," wrote Michael Callaghan in a comment on Facebook's developer blog.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8142
Published: 2014-12-20
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys w...

CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.