RealTime IT News

Bloggers Say Facebook Slow to Fix Security Holes

An apparent flaw in Facebook's security has bloggers up in arms, again, about whether user's personal information is safe on social networking sites.

The FBHive blog claimed that a "simple hack" allowed anyone to access personal information even if the user's account was set to not share that data.

Facebook addressed the problem today. "This was a bug involving a limited set of information from the “Basic Information” section of the profile," Facebook said in an e-mail sent to InternetNews.com. "Our team was able to identify and replicate it, and we put out a fix this morning just before 11am PDT. The loophole has now been closed. We don’t have any evidence to suggest that it was ever exploited for malicious purposes."

Prior to Facebook's fix, security firm Symantec warned the danger of identify theft was very real.

"This information disclosure issue does not allow attackers to execute malicious code or compromise a user's system in any way, but does present a risk of identity theft. If an attacker is able to exploit this vulnerability, they could gain access to details regarding the networks users are associated with, their gender, birth date, hometown, relationship status and their "Interested In" field. Though this information may seem innocuous, thieves can potentially use it to further develop a profile of a user to aid them in stealing their identity," said a representative of Symantec in an e-mail to InternetNews.com

Critics charged Facebook was slow to fix the problem. One commenter on the FBHive blog wrote, "Facebook have a poor security history -- and as you have found are unresponsive to any kind of 'heads up.' I work for a security research firm and recently contacted them with a 4 page spread of exploits and bugs. No reply appeared!"

The FBHive bloggers also found Facebook unresponsive to security notifications. The bloggers claimed in their post that they notified Facebook of the issue on June 7, 2009, but received no response. On the other hand, the issue appears to have been fixed almost immediately after the bloggers went public with the flaw. Facebook has not said how long the problem was left unpatched.

Of course, Facebook is not the only company to face security issues. At Microsoft (NASDAQ: MSFT) Bill Gates famously had to focus the company's attention on the security issue, and work on security best practices never ends. Microsoft is still working on the issue of sharing security data with experts and end users. And even the Federal government has felt its share of security pain.

The news comes as all tech companies are anticipating renewed regulatory scrutiny. Facebook recently hired privacy expert Timothy Sparapani as a lobbyist, according to another unofficial Facebook blog, AllFacebook.

Threats to other Web sites

In the past, security experts have said that when hackers obtain Facebook credentials, they try to attack other sites, such as Webmail and personal Web sites, using those same credentials. They argued that Facebook breaches threaten all Web sites.

Security issues could cause other problems for the company. Security experts are increasingly warning users to be cautious when using Web 2.0 sites. "Users really should be wary of the kinds of information they are sharing online. As this issue has exemplified, sometimes that information can be accessible by the whole world, regardless of whether users intended to or not," said John Harrison, Symantec Security Response group product manager, in an e-mail to InternetNews.com.

"We recommend users not share any personal information that really isn't necessary. Information such as a birth date and the city where a user grew up should probably be left out of your profile. Though this information can seem harmless, it could be used to further build a profile of them and aid thieves in effectively stealing their identity," he added.

Harrison advised users to check Web 2.0 security on their own initiative. "In addition, I'd recommend users visit their social networking pages without being logged in. It might surprise them what information can be seen by perfect strangers. At any rate, it is a good fail safe measure to make sure they haven't inadvertently made information public that they did not intend to," he said.

FBHive had showed that breaches of personal data can have consequences by publishing the birth dates and other information of Facebook CEO Mark Zuckerberg as well as Internet influencers Kevin Rose and Cory Doctorow, but later removed the data at what it said was Facebook's request.