17 July 2008 | 5,806 views

Facebook Bug Leaks Birthday Data

Check For Vulnerabilities with Acunetix

It’s not a big deal but it does show a problem with the way Facebook deals with data and how much power they have over people’s privacy.

A small slip in coding could cause much worse problems that this, plus this could have happened before but no one picked up on it. It takes a certain amount of observational skills to notice something fairly subtle like this.

A glitch in a test version of Facebook’s Web site inadvertently exposed the birthdays of Facebook’s 80 million members this week.

The bug was discovered over the weekend by Graham Cluley, a senior technology consultant at Sophos. While checking out Facebook’s new design, Cluley noticed that the birth dates of some of his privacy-obsessed acquaintances were popping up when they should have been hidden.

Facebook allows users to control who sees private information such as their birth date, which can be a valuable nugget of data for identity thieves. But Cluley discovered that the new site was making this information public to other members. “Their new profile page essentially ignored the privacy setting to withhold the data of birth,” he said.

As said, identity thieves can have a field day with the birth date, but on Facebook it’s not too much of a threat.

But as always you shouldn’t really put anything on ANY website that you don’t want other people to know about. It could get hacked, sold or like this inadvertently exposed.

“For a brief period of time, a small number of users were able to access a private beta of Facebook’s new site design meant only for developers. During that time, some of those users had their birthdays revealed due to a bug,” Facebook said Wednesday in a statement. The company could not say exactly how long this data was exposed or how many people viewed the beta site, but the bug was patched within hours of Cluley’s discovery.

Facebook may intend for the beta site to be private, but it has been open to the general public for several days. It features a new profile design that should be rolled out as an option to Facebook users some time this week.

Seems like a slip up somewhere with the development workflow, the beta site exposed to the public? The beta tree got merged with the live tree somewhere and rolled out?

I’m not exactly sure how the Facebook architecture works but I’d imagine it’s fairly complex.

Source: ComputerWorld



Recent in General Hacking:
- Dradis v2.9 – Information Sharing For Security Assessments
- MagicTree v1.3 Available For Download – Pentesting Productivity
- Kvasir – Penetration Testing Data Management Tool

Related Posts:
- Yes – We Now Have A Facebook Page – So Please Like It!
- FBController – The Ultimate Utility to Control Facebook Accounts
- Facebook Apps Leaking Personal Data To Third Parties

Most Read in General Hacking:
- 10 Best Security Live CD Distros (Pen-Test, Forensics & Recovery) - 1,135,767 views
- Hack Tools/Exploits - 579,190 views
- Password Cracking with Rainbowcrack and Rainbow Tables - 413,083 views

Low-cost VPS Hosting

14 Responses to “Facebook Bug Leaks Birthday Data”

  1. Qubit 18 July 2008 at 5:17 am Permalink

    “A small slip in coding could cause much worse problems that this, plus this could have happened before but no one picked up on it.”

    It has happened before. When FB first released its API for developers, the program had access to everyone’s birthday even when they set otherwise in their settings.

  2. Navin 18 July 2008 at 4:02 pm Permalink

    as mentioned, its not abt the fact tht Graham Cluley will be able to surprise all his friends by telling them their B’days….its abt the lethargic approcah tht facebook has taken towards the privacy f details of 80 million users!! BBC had come up with similar findings and explaits…….maybe you could read this

    http://news.bbc.co.uk/2/hi/programmes/click_online/7375772.stm

  3. Changlinn 20 July 2008 at 7:33 am Permalink

    Thank god I have started to remove details from facebook, it really makes it a waste of time though.

  4. Nobody_Holme 22 July 2008 at 2:20 am Permalink

    Just like to mention… the BBC did this about 3 months back. Then they blogged it, then they loled. Then facebook said “no, actually you cant do what you said you did”, then the beeb said “fail, we just did, heres some proof” then facebook said “d’oh”. (or something like that)

  5. Navin 22 July 2008 at 2:15 pm Permalink

    @ Nobody_Holme

    the links right above Ur comment mate!!

    The BBC report was aired on the net news show “Click” for 3 whole episodes and this says a lot abt the leak.

    Simple solution……just don’t give away data that you don’t want to become public……its much more sensible than providing the data and then checking the “don’t share this with others in my network” button!!

  6. Morgan Storey 10 August 2008 at 8:04 am Permalink

    @Navin: agreed but it is kind of sad that the net has come to this. I remember the days when you could post anything and everyone would pretty much respect your privacy. Even whois data isn’t safe a while ago someone started pranking one of my clients on her relatively new phone number, the only place we could find it was in her whois, well that has now been changed. Very sad.

  7. Navin 10 August 2008 at 10:41 am Permalink

    ya, I still remember this TV report concerning online privacy. There was a black N white video showing a librarian who was in the national media scene coz she refused to keep a password for her library server account….she was so sure that doing this would not affect her privacy!! sheesh

    Its simple in my opinion….Instead of Giving your details and then choosing “don’t show my friends”, simply don’t provide any details at all!!

    In India, some bloggers who openly posted about politically sensitive issues, were literally hunted down and their blogs were suddenly shut down with no apparent reason…There’s very little freedom of speech…its all just in tht piece of paper we call the constitution!!

  8. lyz 12 August 2008 at 4:23 pm Permalink

    Well with this kind of issues, they should really start working on their codes esp. with the growing number of Facebook users and the fact that most of them have a little knowledge on the technical side.

  9. Morgan Storey 12 August 2008 at 10:53 pm Permalink

    @lyz: I am always surprised by friends and ex-collegues that have their facebook profiles open for anyone to look at, including dob and other details. Facebook needs to protect these people from themselves. Show only limited fields to any random that looks, and maybe ask for less details, saying these details aren’t required and may reduce your privacy. Though that doesn’t make good business.

  10. Morgan Storey 16 August 2008 at 9:50 am Permalink

    @Navin: Just re-read your post, early Unix days the admins hated when AT&T put in passwords, so everyone just set there password to password, so everyone knew each others and could get in and get there work done. Times have changed so much, one day it may seem strange to post personal thoughts to a website as it is letting people in to your psyche.

  11. Navin 16 August 2008 at 4:10 pm Permalink

    Oh yeah…privacy seems to be the keyword today…its almost like people have grown horns and a tail (I refer to the devil here incase U don’t get it!! :) ) Noone cared bout privacy earlier coz even if Ur id was hacked what would U lose??A few mails?? But now with millions of $$$ on the net, and real $$$ on the line…Privacy has certainly taken centre stage.

  12. Morgan Storey 17 August 2008 at 12:32 am Permalink

    @Navin: very true, just interesting to see the changes. The internet is just like the real world, only a little bit behind the times. Security has not yet entered the whole common consciousness, some still “leave their door open” or just have the basic lock and key when they living in a bad a neighbourhood. The internet as a whole is a bad neighbourhood, a lot of miscreants, kids that want to get their name on a popular overpass.

    Last night I was having a discussion with a couple of non-security, non-IT, friends who had no issue with all their info being on facebook. I tried to explain that they have your name, and your DOB your identity is pretty close to forefit.

  13. Navin 18 August 2008 at 3:15 pm Permalink

    And let me guess…they told U tht U were crazy and were reading too many hacking books….atleast tht’s wht my friends told me…they’re like ” Dude, the guys at facebook care bout our privacy!! They’ve gotten security experts working round the clock trying to protect our data”

    Ya “dude”, don’t come crying to me when Ur personal details gets stolen and misused

  14. Morgan Storey 19 August 2008 at 12:57 am Permalink

    @Navin: yep, you are too deep into security to see the outside world they said. Besides they can only see that if I add them… but it is a leak I replied, they don’t need to add you. It is like hitting your head against a wall.