Search My Blog

Thursday, June 27, 2013

Facebook Bug worse than reported - Non-users also affected - ZDNet

This is just one ore reason, why. I don't put anything Personal or Important to me, on Face Book!:O


Firm: Facebook 'bug' worse than reported; non-users also affected

Summary: According to the firm who found the bug, Facebook's email to six million users affected by its shadow profiles leak left out some numbers. Plus, non-user contacts were also leaked. UPDATED with Facebook responses (inline).

The security researchers who found Facebook's shadow profiles vulnerability have compared their numbers to what Facebook told its users in emails, and the numbers don't match.

They say Facebook told users the data exposure is much less than what the researchers found, and the researchers also say Facebook is hoarding non-user contact information — seen when it was also shared and exposed in the leak.

Friday Facebook announced the fix of a bug it said inadvertently exposed the private information of over six million users when Facebook's previously unknown shadow profiles accidentally merged with user accounts in data history record requests. 

Since at least 2012, Facebook users who used the Download Your Information (DYI) tool to get their data history record also got an address book with contacts users had never provided to Facebook.

Facebook explained the issue to ZDNet Sunday after user anger exploded — saying that when a Facebook user uploads an address book, the social network obtains all contacts in the user's database and saves all of them.

Users are still furious and were unaware that their not-for-sharing, offsite phone numbers and email addresses are being collected, stored, secretly matched to them (and now accidentally shared) by Facebook.

In its Friday email, Facebook disclosed the security and privacy flaw to users, but no one knew that Facebook's email wasn't telling the whole story — except security researcher Michael Fury (who originally found the vulnerability) and colleagues at Packet Storm Security (and anyone quietly exploiting the data breach).

Because Packet Storm had prior test data verifying the leak, they were able to compare what they knew was actually being revealed in the DYI reports against what Facebook reported to its users via email — as well as what Facebook told the press.

Packet Storm wrote in Facebook: Math of the Aftermath,

We compared Facebook email notification data to our test case data. In one case, they stated 1 [one] additional email address was disclosed, though 4 pieces of data were actually disclosed.

For another individual, they only told him about 3 out of 7 pieces of data were disclosed.


News 06-27-13
Linux Today - Fedora 19 RC2 "Schrödinger's Cat" Is Now Available for Testing
Fedora 19 RC2 "Schrödinger's Cat" Is Now Available for Testing
Linux Today - Raspberry Pi bot tracks hacker posts to vacuum up passwords and more
Raspberry Pi bot tracks hacker posts to vacuum up passwords and more | Ars Technica
Linux Today - Find an open source RSS reader today
Open source alternatives to Google Reader |
Astrosmash style video game as Sony SmartWatch firmware
Atari 2600 has a Raspberry Pi hiding under the hood
Building an IR mouse interface for the disabled
Going, Going, Still Going? Voyager 1 at Solar System’s Edge -
PayPal Galactic to Make Space Money Transfers : Discovery News
Ugly Animals That Need Saving Too: Photos : Discovery News
Is Your Fido Really a Furry Baby? – WebMD
Firm: Facebook 'bug' worse than reported; non-users also affected | ZDNet
Five Apps: Free disaster recovery | TechRepublic
Packet Storm
Search files: Facebook 'bug' ≈ Packet Storm
fin1te - Hijacking a Facebook Account with SMS
Facebook Information Disclosure ≈ Packet Storm
DNews: Can Air Pollution Be Good for the Earth? : Discovery News

No comments: