May 5, 2010|
If you have been online at all today, you probably noticed that for most of the morning, Facebook chat was “down for maintenance.” If you inquired further or happened to be following TechCrunch you were probably astonished to find out that the reason Facebook chat was down was because of a:
”Major security flaw in the social networking site that, with just a few mouse clicks, enables any user to view the live chats of their ‘friends’. Using what sounds like a simple trick, a user can also access their friends’ latest pending friend-requests and which friends they share in common. That’s a lot of potentially sensitive information… The irony is that the exploit is enabled by they way that Facebook lets you preview your own privacy settings. In other words, a privacy feature contains a flaw that lets others view private information if they are aware of the exploit.” Steve O’Hear TechCrunch Europe
Several hours later, Facebook released their statement as a status update on their wall:
“For a limited period of time, a bug permitted some users’ chat messages and pending friend requests to be made visible to their friends by manipulating the “preview my profile” feature of Facebook privacy settings. When we received reports of the problem, our engineers promptly diagnosed it and temporarily disabled the chat function. We also pushed out a fix to take care of the visible friend requests which is now complete. Chat will be turned back on across the site shortly. We worked quickly to resolve this matter, ensuring that once the bug was reported to us, a solution was quickly found and implemented.” (emphasis added).
A couple things about this statement: First, as any longtime Windows user knows, even with a vigorous quality control program, some pretty glaring security loopholes can come to light due to unforeseen advancements and the greater creativity / incentive of those in the cloud to find loopholes.
Secondly although many of us have come to accept that you have no expectation of privacy visiting a site you do not own or otherwise pay for, this is still more than a little unsettling. In Facebook’s defense, there is some personal responsibility on the part of the end user to be selective about what they share online and which friend requests they accept. While there has no word on how long this vulnerability existed, one would hope that Facebook would be a little more forthcoming about exactly how long this “bug” existed for, and more importantly- What, if any steps they have taken or are taking to prevent any such future mishaps. Is it our responsibility to discover and report any future such issues?
Finally, do you agree with Facebook’s characterization of this major security flaw as a “bug” ? On the one hand, to characterize such as major flaw as merely a “bug” seems to trivialize the issue. Dictionary.com has multiple definitions of the word “bug,” but in this instance these three definitions seem particularly appropriate:
- “An unwanted and unintended property of a program or piece of hardware, especially one that causes it to malfunction.”
- “A hidden microphone or other electronic eavesdropping device.”
- “To avoid a responsibility or duty. Often used with on or of:bugged out on his partners at the first sign of trouble.”
On a somewhat related note, Dan Yoder’s post on Business Insider- “10 Reasons to Delete Your Facebook Account” is a particularly good read, even if you have no intention of canceling your account.