Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Facebook Bug Could Give Spammers Names, Photos

timothy posted more than 3 years ago | from the who-am-I-again? dept.

Security 145

angry tapir writes with this excerpt from an IDG report: "Facebook is scrambling to fix a bug in its website that could be misused by spammers to harvest user names and photographs. It turns out that if someone enters the e-mail address of a Facebook user along with the wrong password, Facebook returns a special 'Please re-enter your password' page, which includes the Facebook photo and full name of the person associated with the address. A spammer with an e-mail list could write a script that enters the e-mail addresses into Facebook and then logs the real names. This could help make a phishing attack more realistic."

cancel ×

145 comments

Sorry! There are no comments related to the filter you selected.

*Smack Face* (5, Insightful)

Monkeedude1212 (1560403) | more than 3 years ago | (#33232256)

Seriously? Who is freaking writing these web pages? It would have been easier to NOT include photo's and names than to build it in there!

Re:*Smack Face* (4, Insightful)

odies (1869886) | more than 3 years ago | (#33232284)

I think the summary and story is looking at wrong aspect about it too. Spammers, whatever. You're just one in a million. This is a lot more serious about people that just know your email, but are in more personal contact with you than some spammers. Website owners, forum administrator, people you meet on the internet.. Those who know your email but don't really know your real identity. That's a lot more serious privacy violation.

Answer: some 22yo kid on a powertrip (2, Funny)

e065c8515d206cb0e190 (1785896) | more than 3 years ago | (#33232322)

Here comes Mark.

Re:*Smack Face* (2, Funny)

Anonymous Coward | more than 3 years ago | (#33232508)

Seriously? Who is freaking writing these web pages?

Probably an ex-Slashcode developer.

Re:*Smack Face* (0, Offtopic)

blai (1380673) | more than 3 years ago | (#33232534)

no -____-
Peter and I didn't work for Slashcode.

Re:*Smack Face* (0)

Anonymous Coward | more than 3 years ago | (#33232514)

Maybe they just did it for the challenge. ;)

Re:*Smack Face* (1, Informative)

mcgrew (92797) | more than 3 years ago | (#33232606)

It would have been easier to NOT include photo's and names than to build it in there!

Dude, please learn when to use an apostrophe [angryflower.com] . We have lots of non-native English speakers here, and they may assume that your use of language is educated, seeing as how this is a nerd site and all.

Moderators, please mod me down, I'm offtopic. Thx.

Re:*Smack Face* (1)

Pteraspidomorphi (1651293) | more than 3 years ago | (#33232762)

Maybe he's a non-native speaker himself ;)

Re:*Smack Face* (1, Informative)

Monkeedude1212 (1560403) | more than 3 years ago | (#33232800)

It is a bad habit I have. I'll write a sentence, then I'll read it over, and decide to change the structure entirely, then re-read it a bit to make sure it makes sense, then put it up there without looking too much at grammar.

So if I had said something like "The photo's location" but then decided the location part is irrelevant and I could just work it around to just say "the photos" then I do so, but its all cut copy paste delete so the apostrophe reamins in place. Makes errors and I apologize.

I also tend to form a lot of run on sentences or use too many commas, like that first sentence up there. I left it as is so you can see my general though pattern. Normally I would go back and work my sentences into something with a little more sensible flow and pace. I have found that I abuse a hyphen quite frequently - as if putting it there makes it seem like a quick pause without needing to use a comma, which is terrible I know.

Re:*Smack Face* (-1, Troll)

Anonymous Coward | more than 3 years ago | (#33233192)

Stop trying to justify it to yourself. Just fix your mistakes.

Re:*Smack Face* (0)

Anonymous Coward | more than 3 years ago | (#33233312)

Oh, shut up. Mistakes happen, especially while drafting. Blame /. for not allowing posts to be edited, not the poster.

Re:*Smack Face* (0, Troll)

neonmonk (467567) | more than 3 years ago | (#33234244)

The photo is location? What?

Seriously, learn when to use apostrophes.

Re:*Smack Face* (2, Interesting)

ilo.v (1445373) | more than 3 years ago | (#33232608)

Who is freaking writing these web pages? It would have been easier to NOT include photo's and names

I'm not defending their choices, but there is a legitimate reason why they would do this. Some users mistype their username, not their password. This results in a "failed login" screen. If there is no photo (or name) they may assume they have mistyped their password, and keep trying it over and over. Throwing up the picture associated with that account helps the user figure out that the reason they can't log in is because they are mistyping their username, not their password.

Re:*Smack Face* (1)

Monkeedude1212 (1560403) | more than 3 years ago | (#33232958)

I see your point, and it is an excellent one. However, I think I would have prefered it being some kind of bug that suggests the page you are being redirected to when failing to login goes to a default page which then loads certain contols (like other facebook pages), and that it naturally shows the info when you are logged in. As opposed to a logical error that someone thought this would be a good idea and didn't consider the consequences of privacy involved with it. Not that I'm surprised with the current administration of the site or anything - nor that my preference of privacy issues being technical errors over design flaws makes any difference whatsoever.

Re:*Smack Face* (2, Insightful)

Abstrackt (609015) | more than 3 years ago | (#33233006)

I do some of my banking with ING and they let you select a combination of a picture and phrase that's unique to you, why couldn't Facebook implement the same? All they would need is a stock of pictures for people to choose from and a text field. If you don't see your selected picture and your selected text you'd know you tried logging into the wrong account.

Re:*Smack Face* (2, Insightful)

SmlFreshwaterBuffalo (608664) | more than 3 years ago | (#33233024)

I wouldn't call that a legitimate reason since that implies, well, legitimacy. Instead, it's simply a possible explanation for how they arrived at their poor choice.

A more secure solution to the problem you pose would be to clear the user name on the "failed login" screen in addition to the password, regardless of which is incorrect. And if anyone wants to argue that having to retype both would be inconvenient, I'll preemptively counter by saying security should not be sacrificed for the sake of convenience.

Re:*Smack Face* (0)

Anonymous Coward | more than 3 years ago | (#33233696)

..., I'll preemptively counter by saying security should not be sacrificed for the sake of convenience.

Because U.S airports after 9/11 are totally secure. [//TODO: Quote something about liberty/security here.]

Re:*Smack Face* (1)

SmlFreshwaterBuffalo (608664) | more than 3 years ago | (#33233810)

I can't tell if you're agreeing or disagreeing with me, since website security and the dog & pony shows performed at U.S. airports are not even remotely related.

Re:*Smack Face* (0)

Anonymous Coward | more than 3 years ago | (#33233458)

Yeah, there is a legitimate reason to highlight which of the two fields were incorrect: convenience. However, there is an equally legitimate reason to highlight none of them: security. And the latter practice has been the standard practice for the last 10 years. The reason this seems incredulous is because the weakness exists in the largest website on the planet. Even a 14y/o novice PHP webdeveloper can spot this exploit ahead of time.

Re:*Smack Face* (5, Insightful)

yenne (1366903) | more than 3 years ago | (#33233378)

I just tried it. Looks to me like Facebook has a problem with users who enter the wrong e-mail address and can't figure out why their logon isn't working. Hence, the "Not you? Click here." option beside the picture.

It's entirely possible that the idiocy behind the interface design is in an ongoing stupidity arms race with the consumers on the other end.

Re:*Smack Face* (5, Interesting)

paulbiz (585489) | more than 3 years ago | (#33233538)

I have a "good" gmail address (my full name@gmail.com) and I constantly get e-mail from other people signing up for things who apparently don't know their own e-mail address. I've received passwords and various other sensitive data. Sprint was sending me receipts for someone's very large corporate purchases, I kept replying and forwarding them to sprint's customer care and they basically told me they can't do anything about it and to just delete them and not worry about it.

It's also amazing how many sites will not let you unsubscribe without providing some kind of personal info. Seriously? They let you sign up with the wrong address without confirming it, but I can't unsubscribe unless I know the last 4 digits of the guy's SSN?

Re:*Smack Face* (2, Interesting)

Pharmboy (216950) | more than 3 years ago | (#33233602)

I have a "good" gmail address (my full name@gmail.com) and I constantly get e-mail from other people signing up for things who apparently don't know their own e-mail address.

Glad to know I am not the only one. My yahoo email address, which I have used since the mid 90s when they started offering email (back when 9 characters was the maximum name size....) gets the same thing, legitimate "thanks for signing up" from legit companies, where some idiot didn't know their own email address. Ironically, my email address is a real oddball one, so how they would use it is beyond me.

Re:*Smack Face* (1)

yenne (1366903) | more than 3 years ago | (#33233672)

I constantly get e-mail from other people signing up for things who apparently don't know their own e-mail address.

My e-mail address is also my full name with a "dot net" at the end, and I have chronic issues with customer service reps who don't know how to type anything other than "dot com".

That is pretty ridiculous about not being able to unsubscribe, though.

Re:*Smack Face* (4, Interesting)

Dhalka226 (559740) | more than 3 years ago | (#33233746)

I had the same problem happen, with some extremely sensitive data coming in.

In addition to somewhat mundane things like airline confirmations, hotel confirmations, etc, there were several letters about legal problems. The person they were trying to reach is apparently the head of an investment group and under investigation by the SEC. I also once received an email containing a bank account number with routing number. Usually it was sent to his (proper) business address and CC'd to my address, which I assume they thought was a personal address for him. When correspondence from lawyers starting coming in I decided it was well past time to start emailing these people and telling them to oh my god please stop. That's a can of worms I just wanted no part of whatsoever.

I did do a quick Google search for the guy; same last name, different first name (same first initial, the combination of which is my email address). Really a problem that shouldn't have happened, especially not that many times from that many different sources.

Re:*Smack Face* (0)

Anonymous Coward | more than 3 years ago | (#33233854)

One of my email addresses is "first name last initial@gmail.com". Among things, I've received correspondence from grandparents and relatives that I don't have, signups for online games from some kid, emails from the friends of some other kid, registration for the Playstation Network, private emails intended for some guy in upper management in some company I can't immediately recall, and an invitation and password to the signup site for the last Webby awards ceremony. Luckily I'm a nice guy and try to correct people after they've mistakenly emailed me.

Re:*Smack Face* (1)

ekhben (628371) | more than 3 years ago | (#33234480)

That's only 10,000 combinations. Brute force script it. Don't bother testing for success, just blast 10,000 HTTP requests at them.

Re:*Smack Face* (1)

RabbitWho (1805112) | more than 3 years ago | (#33233898)

I think they tried to copy the "active neopet" login security feature on Neopets.

Re:*Smack Face* (0)

Anonymous Coward | more than 3 years ago | (#33234136)

indeed, it's not a bug but a purposely designed feature.
just because a feature is stupid doesn't make it a bug.
or else 90% of fb would be bugs.

Not a Bug (5, Funny)

FrozenTousen (1874546) | more than 3 years ago | (#33232264)

It's a feature. Say you get amnesia and all you remember is your email address. Now, thanks to Facebook, you have a means of finding out your name, and what you look like!

Re:Not a Bug (5, Funny)

Anonymous Coward | more than 3 years ago | (#33232360)

It's a very serious bug. Spammers aren't _supposed_ to be able to scrape that information without paying facebook for it.

Re:Not a Bug (0)

Anonymous Coward | more than 3 years ago | (#33235040)

Really? I thought they were just giving out samples.

Re:Not a Bug (4, Funny)

by (1706743) (1706744) | more than 3 years ago | (#33232448)

It's a feature. Say you get amnesia and all you remember is your email address. Now, thanks to Facebook, you have a means of finding out your name, and what you look like!

Imagine how much simpler the plot for The Bourne Identity would have been.

Re:Not a Bug (0)

Anonymous Coward | more than 3 years ago | (#33233362)

Imagine how much simpler the plot for The Bourne Identity would have been.

I don't think so. He would have to have his email tattooed on the back of his neck and then spend 2 hours trying to read it.

Not The Only Problem (4, Insightful)

Revotron (1115029) | more than 3 years ago | (#33232276)

Fixing this alone means nothing. If you search for someone on Facebook it will show you a name and a profile picture. Sure, it requires a facebook account, but that's not too hard to create for somebody with 4,000,000 email addresses.

Re:Not The Only Problem (2, Interesting)

yincrash (854885) | more than 3 years ago | (#33232386)

A user can prevent the profile picture from showing, and you can't search by email address (that I know of). However, this bypasses the profile picture privacy option.

Re:Not The Only Problem (4, Informative)

e065c8515d206cb0e190 (1785896) | more than 3 years ago | (#33232428)

You can search by email address. And last time I checked the only way to not show your profile picture to the world was to not have one at all.

Re:Not The Only Problem (5, Informative)

creat3d (1489345) | more than 3 years ago | (#33232562)

You can set your profile not to be searchable by email address.

Re:Not The Only Problem (1, Insightful)

Anonymous Coward | more than 3 years ago | (#33233434)

How exactly?

Facebook's configuration is so convoluted. Everything is spread around on different pages and stuff, so annoying. It's very hard to find any particular privacy or profile setting.

Re:Not The Only Problem (2, Insightful)

TheGratefulNet (143330) | more than 3 years ago | (#33232468)

I have no FB account (never will, either!) yet I can do a google cache search AND get 'goodies' on FB users that way.

so, that's yet another hole that needs to be patched.

Re:Not The Only Problem (5, Insightful)

natehoy (1608657) | more than 3 years ago | (#33232704)

This means a lot if you have set your profile to be non-searchable and set your name and/or profile picture to be "visible to friends only".

POTS analogy: This is like going to the effort of getting an "unlisted number", where you aren't supposed to be listed in the phone book and your address is not supposed to be divulged to anyone, then finding out that anyone who happens upon your number and dials it gets a recording that includes your name and address.

Having said that, everything you enter in Facebook should be considered viewable by everyone on the planet. Facebook doesn't exactly have a long and reliable history of protecting the identity of the people who use it. They'd sell you for a nickel. They'd probably send someone to strangle your cat if they thought your angst-ridden posts would generate a few thousand more page views. It's not exactly like this should come as a surprise to anyone, especially those of us who actually use it.

So, as someone mentioned above - this is a very, very serious bug to Facebook. This information should NEVER be given out to anyone... who isn't paying for it.

Wow (1, Redundant)

mark72005 (1233572) | more than 3 years ago | (#33232286)

Just when you thought all the obvious exploits and privacy problems had to be gone by now, they go off and amaze us again.

Get ready for another irreducibly complex tier of privacy settings, i'm sure.

Re:Wow (1)

xMilkmanDanx (866344) | more than 3 years ago | (#33232538)

actually I'd say it's more symptomatic of the blacklist mentality. you get better security/data control if you have to whitelist access.

From TFA (5, Funny)

wideBlueSkies (618979) | more than 3 years ago | (#33232298)

>>Scraping Facebook for this type of information is prohibited, she added.

Oh, yes. That'll stop em'. Stern warnings always do.

Re:From TFA (2, Funny)

Monkeedude1212 (1560403) | more than 3 years ago | (#33232392)

Strongly worded public letters deter most bots.

Re:From TFA (3, Insightful)

interkin3tic (1469267) | more than 3 years ago | (#33232546)

They should probably throw in a logical paradox to make their heads explode or short circuit. Like "It's forbidden to use this picture and name for evil purposes, because people want privacy, even though they put it all up there suggesting they don't want privacy... think about that."

There's only one problem...

"Santa-bot: Nice try. But my head was built with paradox-absorbing crumple-zones"

Need an adult (3, Insightful)

dan_sdot (721837) | more than 3 years ago | (#33232300)

Ok, we need an adult to start running this company please. Seriously, this Zuckerberg guy is so far out of his league it is laughable.

Re:Need an adult (2, Informative)

bkgood (986474) | more than 3 years ago | (#33233346)

Ageist much? Do you really think that a CEO like Zuckerberg wrote, demanded or even approved something as simple as a "spice up the login error page" project?

Anyway, the guy is 26. He can buy booze, fight for his country and successfully run a multi-million dollar company. Most of slashdot, even adult slashdot, cannot claim all three.

Finally, I really don't know what all the commotion is about, I just logged out of Facebook and tried logging back in with my email address and a bad password; I got the standard "bad email or password" error.

Re:Need an adult (0, Troll)

company suckup (1351563) | more than 3 years ago | (#33234282)

I seriously do not get this ungodly zeal for hiring 20-somethings to run the IT world. Time for the Sesame Street crowd to step aside for those who could construct a website that was actually user-friendly.

Could? (1, Insightful)

Anonymous Coward | more than 3 years ago | (#33232314)

"Could" be misused? How about "has" and "is"?

Not a bug but design flaw (0)

Anonymous Coward | more than 3 years ago | (#33232318)

And how hard could that possible be to fix? Comment some code.. end of story.

Re:Not a bug but design flaw (0)

Anonymous Coward | more than 3 years ago | (#33232522)

But that doesn't give slashdotters an opportunity to rage, or even an opportunity for some PR about evil haxxors finding pictures of children!

Correction (1)

pseudorand (603231) | more than 3 years ago | (#33232334)

> that could be misused by spammers to harvest user names and photographs. ...that has been widely used by spammers, collection agencies, the government, terrorists, aliens (from outer space and otherwise), foreign governments and the like to harvest user names, photographs and e-mails for years.

There. Fixed that for you.

Scrambling, my ass... (3, Insightful)

bugs2squash (1132591) | more than 3 years ago | (#33232434)

The site should go down for maintenance until they fix the issue, and only then brought back online.

Re:Scrambling, my ass... (2, Funny)

Anonymous Coward | more than 3 years ago | (#33233358)

The site should go down for maintenance until they fix the issue, and only then brought back online.

Good idea. I'm all for bringing it down. Think of how much more productive households, college campuses, and the workplace will be for networks not already blocking facebook access. The increase in productivity would cause a spike in the world economy and take us out of the recession :-)

This flaw is no longer available (5, Informative)

SplatMan_DK (1035528) | more than 3 years ago | (#33232478)

This flaw is no longer available on Facebook logon pages.

In fact it was removed before this story made it to the /. front page.

It was removed approx. 11 hours after the first public articles about it.

- Jesper

Re:This flaw is no longer available (1, Offtopic)

duplicate-nickname (87112) | more than 3 years ago | (#33232550)

+1...if I could.

Again Slashdot delivers slow, out-of-date news.

Re:This flaw is no longer available (2, Insightful)

C_Kode (102755) | more than 3 years ago | (#33232564)

In this case, I consider it a good thing.

Re:This flaw is no longer available (1)

guyminuslife (1349809) | more than 3 years ago | (#33233980)

I am currently reading a novel called "Rollback." In the story, Earth received a message from alien life forms on a distant planet in 2010. One of the main characters, a SETI researcher, doesn't find out about it until after the news has been leaked publicly. Her husband breaks it to her: "It's all over the Internet, including Slashdot!" And my reaction was, "What? Slashdot already has it on the frontpage? She must really be the last person to find out!"

Re:This flaw is no longer available (3, Interesting)

Anonymous Coward | more than 3 years ago | (#33232620)

Really? I just went to Facebook, put in my email address and a bad password in, and I see "Login as: [My full name] [my email] Not you? click here". My picture is a blank picture, but it always is because I have all pictures turned off publicly. So, if they've removed the flaw, they've either not deployed it to all their servers yet (possible), or they really did a bad job of removing it.

Re:This flaw is no longer available (1)

prostoalex (308614) | more than 3 years ago | (#33234114)

What happened when you tried someone else's e-mail address?

Re:This flaw is STILL available (1, Informative)

Anonymous Coward | more than 3 years ago | (#33232628)

I just tested it. Logged out, logged back in with the wrong password.

Guess what? It shows my name. I've turned off sharing my profile picture but the main article is talking about it scraping names for realistic spam. That is still available.

Where are you getting your information again?

Re:This flaw is STILL available (1, Informative)

Anonymous Coward | more than 3 years ago | (#33232748)

I just tested it. Logged out, logged back in with the wrong password.

Guess what? It shows my name. I've turned off sharing my profile picture but the main article is talking about it scraping names for realistic spam. That is still available.

Where are you getting your information again?

Maybe it relies on a cookie or something, and it only shows that to you because you've been logged in before. I just tried a friend's email address and wrong password, and it didn't show me any information about him. He has never been logged into Facebook on this machine.

Return vs. Fresh Login (5, Informative)

Kelson (129150) | more than 3 years ago | (#33232964)

Maybe it relies on a cookie or something, and it only shows that to you because you've been logged in before.

That does seem to be the case. I just tested it on two browsers, one of which I don't use with Facebook.

On the browser that I don't use with Facebook, the "Please enter your password" screen did not include a name or picture.

On the browser that I do use with Facebook, and had just logged out seconds before, my name and photo did appear. However, if I entered someone else's address, the name and photo did not appear. Just for kicks, I tried two email addresses, one of which I know does have an account and one of which I know doesn't. Facebook *did* tell me which one was not associated with an account.

A spammer isn't going to have your cookies, so they won't get your name and photo. But they can confirm whether you have a Facebook account or not.

Re:Return vs. Fresh Login (4, Funny)

AnAdventurer (1548515) | more than 3 years ago | (#33233652)

Best line EVER: A spammer isn't going to have your cookies

Re:This flaw is STILL available (0)

Anonymous Coward | more than 3 years ago | (#33233360)

Do it again with a different email (a user you know of)... Its because of your cookies. Come on now....!

Re:This flaw is no longer available (0)

Anonymous Coward | more than 3 years ago | (#33232636)

Wrong. The first public article was on seclists.org at which point the flaw still alive and kicking.

Re:This flaw is no longer available (1)

blackraven14250 (902843) | more than 3 years ago | (#33232796)

Interesting point, considering he's talking about the flaw being fixed 11 hours after the first articles.

Re:This flaw is no longer available (0)

Anonymous Coward | more than 3 years ago | (#33232638)

It must have been a short lived bug because the first time I noticed they displayed the name/photo for me on a mistyped password, I tried someone else's account and it did not display their info.

Re:This flaw is no longer available (1)

rudy_wayne (414635) | more than 3 years ago | (#33232794)

This flaw is no longer available on Facebook logon pages.

In fact it was removed before this story made it to the /. front page.

It was removed approx. 11 hours after the first public articles about it.

- Jesper

Sorry Jesper, but you are wrong. I just tried it and the problem HAS NOT been fixed as of 4:47pm EST today.

Re:This flaw is no longer available (0)

Anonymous Coward | more than 3 years ago | (#33233004)

clear your cookies and stuff, the bug is gone now

Re:This flaw is no longer available (1)

Kelson (129150) | more than 3 years ago | (#33233030)

Try clearing your cookies in between (or just use a different browser), or test it with someone else's email address. It only shows your name and photo if you were previously logged on with the same account.

I'm not sure how wise that is, but it's certainly an improvement over any random person being able to extract the information (assuming, of course, that your name and photo aren't already publicly associated with that email address via other channels).

Re:This flaw is no longer available (0)

Anonymous Coward | more than 3 years ago | (#33234436)

Yep, if I try it with my regular account then I see my name and photo, but with a different account I get no extra information

Rolling out might take time? (1)

SplatMan_DK (1035528) | more than 3 years ago | (#33233350)

Sorry Jesper, but you are wrong. I just tried it and the problem HAS NOT been fixed as of 4:47pm EST today.

Fair enough, you tested it and found the flaw alive and kicking.

Did you flush your browser cache before testing? And did you ensure that you are not getting the page from a proxy server someweher between you and the FB server?

If you are still getting the flaw (as I can see a number of other users are also reporting) my guess is that:

1.) They are getting cached results from somewhere
2.) Facebook has fixed the flaw, but propagating it to their 32.000 servers (literally dude) takes a little time.

Obviously I tested it myself before making the first comment ;-) and I am unable to get any information listed. I have tried with 5 accounts belonging to friends and family (and I picked the e-mails they use for their FB accounts) without getting any interesting information. I would (obviously) not post something like my first comment on a /. front page article without testing it first ...

Now, FB should still get hammered for being so damn stupid, but on the servers that I get results from the flaw is gone.

- Jesper

Re:This flaw is no longer available (4, Funny)

Farmer Tim (530755) | more than 3 years ago | (#33233058)

Slashdot: recent history for nerds, stuff that once mattered.

Re:This flaw is no longer available (1)

amicusNYCL (1538833) | more than 3 years ago | (#33234004)

Just tried right before this post with a browser I don't use Facebook on, with a couple email addresses for users from a forum that I admin. It most definitely showed real names for the people, although not pictures. Could be that none of them have pictures. It took 3 failed logins and then a captcha before it showed the name.

That's nothing. (-1, Offtopic)

Spazntwich (208070) | more than 3 years ago | (#33232488)

Granted, my research is strictly anecdotal, and I'm a catastrophically biased researcher in the first place, so you should probably mod me overrated even if I'm at -1.

But seriously, guys. I've noticed a much worse bug in facebook: Baby pictures.

I threw my entire life away because I knew I wouldn't be able to handle corporate culture. Every day some new father traipsing into work with photographic evidence of his inability to utilize birth control and demanding ritualistic expressions of adoration and amazement that he both figured out what to do with that dangly blood balloon and found a woman who didn't retch at the idea of aiding and abetting his genetic material's nefarious goals.

So now, here I am, unemployed and thinking about delivering pizzas again, at least safe in the knowledge that I'm free of retribution should some recent parent decide my emotional display didn't sate their narcissistic need for attention. Craigslist jobs section is getting boring. Let's see what hilarious inanity my friends have posted to their profiles.

Oh no.

Oh God no.

Is that a raisin? No, that's your purple, mucous covered mess of a clone fresh out of the vagina. A picture so offensive it wouldn't have even been acceptable in an office environment, but now thanks to the magic of facebook's YOU CARE ABOUT YOUR FRIEND'S FRIENDS LIVES policy is totally socially acceptable and rapidly becoming ubiquitous.

So now I have nothing. Is anyone hiring? I'll pretend your kids are cute.

Re:That's nothing. (1)

not already in use (972294) | more than 3 years ago | (#33232658)

I noticed lots of people take pictures of mirrors, too.

Re:That's nothing. (0)

Anonymous Coward | more than 3 years ago | (#33233808)

we should scrape the profile pictures for those not taken in mirrors, then sell their email addresses to mirror manufacturers

Re:That's nothing. (0)

Anonymous Coward | more than 3 years ago | (#33233588)

I don't like most babies a whole lot either, and I detest after-birth pictures, but you are overreacting by quite a bit. Your whinings are as annoying as the exuberant adulations of a newfound parent.

Optomist... (1)

ViViDboarder (1473973) | more than 3 years ago | (#33232494)

I noticed this the other day, but I was kind of hoping it only brought that up because I had a cookie and had logged in before... Guess not.

Scraping (2, Insightful)

wideBlueSkies (618979) | more than 3 years ago | (#33232558)

Jeez... you can write a perl script to do the scraping in about 15 minutes.

Besides the fix for the insecure functions on the page, I certainly hope they are doing IP blocking....

But what a bunch of PR jumbo... the problem is the result of a bug?? I'd disagree. I've seen the login error page. The function of showing the image and repeating the email address is by design . A horribly insecure design in the context of Facebook's privacy settings setup. But it was a design decision, not a bug.

At least that's how I see it.

Re:Scraping (3, Interesting)

RAMMS+EIN (578166) | more than 3 years ago | (#33233264)

``But it was a design decision, not a bug.''

Also, not telling whether they got the username correct or wrong is security 101.

This is yet another case of Facebook having done the wrong thing for their users' privacy, and correcting things only to lessen the negative publicity. It's not an accident.

The word AND is not in short supply (1, Interesting)

Anonymous Coward | more than 3 years ago | (#33232576)

"Facebook Bug Could Give Spammers Names, Photos"

Names, Photos?

A comma was traditionally used in printing headlines in place of "and" because the litho did not usually have an ampersand character with which to save space.

There is no excuse for this misuse of the comma in the 21st century.

Re:The word AND is not in short supply (0)

Anonymous Coward | more than 3 years ago | (#33233522)

So what. All languages change over time smartass.

Lemme guess, you do not have a TV in your house, you drive a Prius, you're a vegan, and your main computer is an Apple... either that or you have the assburgers in your brain. Amiright?

Re:The word AND is not in short supply (1)

PhxBlue (562201) | more than 3 years ago | (#33233568)

How do you figure it's misuse? It was used in that headline to separate two items on a list. Since there are still a few print-edition papers here and there, it still makes sense to use commas in place of "and" for headlines.

*does not affect deactivated accounts (2, Funny)

Rooked_One (591287) | more than 3 years ago | (#33232798)

I deactivated my account log ago, and just checked - it doesn't say a word about who I am. Not sure if anyone else has tried this to actually see if it works.

Which is why... (0)

Anonymous Coward | more than 3 years ago | (#33233052)

Which is why you never use your real name on a non-pay website. Ever.

FB (0)

Anonymous Coward | more than 3 years ago | (#33233146)

People on Facebook live in a bubble if they believe they have any privacy. This website [fbfriendtracker.com] has a crude and clever way to keep track of who's deleting you on the site.

Predicted long ago (3, Interesting)

betterunixthanunix (980855) | more than 3 years ago | (#33233156)

My security engineering text (Anderson, 2nd edition) predicted that social networking websites would become security liabilities because of the amount of personal information they store about their members. That book was published in 2007.

"We were warned?"

Re:Predicted long ago (2, Interesting)

Archangel Michael (180766) | more than 3 years ago | (#33234018)

"Long ago" being any length of time greater than about 3 years???

Re:Predicted long ago (1)

betterunixthanunix (980855) | more than 3 years ago | (#33234660)

Considering how long these websites have been overwhelmingly popular, to the point of actually becoming security liabilities?

can also just search for email address. (1)

joostje (126457) | more than 3 years ago | (#33233318)

Not just the "re-enter password" page. If you enter an email address in the normal facebook search box, facebook will show you the name of the account that uses that email address (though not the photo, if it is blocked).

fuck3r (-1)

Anonymous Coward | more than 3 years ago | (#33233492)

obsessives and the as lit8tle o7erhead

Works for me (1)

gringer (252588) | more than 3 years ago | (#33233648)

I don't have a facebook account, but I tried a few random emails (pretty much name@gmail.com), and came up with a full name and photo (although more commonly just the full name).

  1. enter email address with 'mashed keys' as password
  2. enter email address with 'mashed keys' as password 2 more times at 'incorrect login' screen
  3. enter captcha
  4. if email address represents a real user, their name (and photo, if it exists) shows up

It knew who I was (0)

Anonymous Coward | more than 3 years ago | (#33233770)

I noticed this a couple of weeks ago. The weird thing is, instead of using the email address associated with facebook, I typed one of my other email addresses in by mistake when trying to log in and it knew who I was even though that particular email address had never been used with facebook ever. It even used the shortened form of my name that I use with that email address instead of the longer form I use with facebook. Where did it get that information? Fortunately it didn't have a picture of me associated with the other email address.

Re:It knew who I was (2, Informative)

forgot_my_nick (1138413) | more than 3 years ago | (#33233892)

Almost certainly some brain dead acquaintance of yours knows both your email addresses, had them in their email address book under your name and allowed Facebook to rifle through it when they signed up.

Internet security (3, Insightful)

LoudMusic (199347) | more than 3 years ago | (#33233878)

Q: Is your personal data safe?

A: [in form of a question] Is it in anyway a part of the internet, including being on your own computer in your own home, which is connected to the internet? If yes, then no.

Hell, even if I don't have a Facebook account and someone takes a pictures of me and uploads it to Facebook and tags it with my name then the internet knows what I look like. Privacy is a joke.

On the other hand, perhaps there's a market in creating false identities for people as a false data internet flood. As a business they would sign up for popular social networks with your name and upload a variety of pictures claiming to be you, with routine updates about things you're not actually doing. They could use their client list to 'friend' each other and build a nice false society. If someone on the internet ever posted true or factual information or pictures about you it would be considered less reliable due to the voluminous FUD being provided by the company hired to provide false information, and therefor discarded.

Not news (1)

YoshiDan (1834392) | more than 3 years ago | (#33234618)

I noticed this 'feature' a long time ago when I entered my password wrong. I was a bit concerned at the time and I did think "what sort of idiot thinks of an idea like this"... At least they're fixing it.

What is the bug again? (1)

Alien1024 (1742918) | more than 3 years ago | (#33234708)

From TFA:

"We have technical systems in place to prevent people's names and photos from showing to unrelated users upon login, but a recently introduced bug temporarily prevented these from working as intended," a company spokeswoman said in an e-mail message. "We are already working on a fix and expect to remedy the situation shortly."

If by "upon login" they mean when a wrong password is entered, I don't understand what the bug is, since the "Is that you?" screen is the intended behavior, not a buggy one. By the way, it only happens if the email address matches the account which was last logged in on the browser, and it forgets it if you wipe the cookies (maybe the "bug" is already fixed?). But even if that page was shown for any email, that's not the only or even the easiest way to get the name and picture matching an email; that's as easy as searching users by email.

Of course it's easy to build a phishing site that replicates the "wrong password" screen, but anyone who falls for such a phishing attempt has worse problems on the internet.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>