Facebook Bug Leaks Birthday Data

It’s not a big deal but it does show a problem with the way Facebook deals with data and how much power they have over people’s privacy.

A small slip in coding could cause much worse problems that this, plus this could have happened before but no one picked up on it. It takes a certain amount of observational skills to notice something fairly subtle like this.

A glitch in a test version of Facebook’s Web site inadvertently exposed the birthdays of Facebook’s 80 million members this week.

The bug was discovered over the weekend by Graham Cluley, a senior technology consultant at Sophos. While checking out Facebook’s new design, Cluley noticed that the birth dates of some of his privacy-obsessed acquaintances were popping up when they should have been hidden.

Facebook allows users to control who sees private information such as their birth date, which can be a valuable nugget of data for identity thieves. But Cluley discovered that the new site was making this information public to other members. “Their new profile page essentially ignored the privacy setting to withhold the data of birth,” he said.

As said, identity thieves can have a field day with the birth date, but on Facebook it’s not too much of a threat.

But as always you shouldn’t really put anything on ANY website that you don’t want other people to know about. It could get hacked, sold or like this inadvertently exposed.

“For a brief period of time, a small number of users were able to access a private beta of Facebook’s new site design meant only for developers. During that time, some of those users had their birthdays revealed due to a bug,” Facebook said Wednesday in a statement. The company could not say exactly how long this data was exposed or how many people viewed the beta site, but the bug was patched within hours of Cluley’s discovery.

Facebook may intend for the beta site to be private, but it has been open to the general public for several days. It features a new profile design that should be rolled out as an option to Facebook users some time this week.

Seems like a slip up somewhere with the development workflow, the beta site exposed to the public? The beta tree got merged with the live tree somewhere and rolled out?

I’m not exactly sure how the Facebook architecture works but I’d imagine it’s fairly complex.

Source: ComputerWorld

Posted in: Hacking News, Privacy

, , , ,

Latest Posts:

Socialscan - Command-Line Tool To Check For Email And Social Media Username Usage Socialscan – Command-Line Tool To Check For Email And Social Media Username Usage
socialscan is an accurate command-line tool to check For email and social media username usage on online platforms, given an email address or username,
CFRipper - CloudFormation Security Scanning & Audit Tool CFRipper – CloudFormation Security Scanning & Audit Tool
CFRipper is a Python-based Library and CLI security analyzer that functions as an AWS CloudFormation security scanning and audit tool
CredNinja - Test Credential Validity of Dumped Credentials or Hashes CredNinja – Test Credential Validity of Dumped Credentials or Hashes
CredNinja is a tool to quickly test credential validity of dumped credentials (or hashes) across an entire network or domain very efficiently.
assetfinder - Find Related Domains and Subdomains assetfinder – Find Related Domains and Subdomains
assetfinder is a Go-based tool to find related domains and subdomains that are related to a given domain from a variety of sources including Facebook and more.
Karkinos - Beginner Friendly Penetration Testing Tool Karkinos – Beginner Friendly Penetration Testing Tool
Karkinos is a light-weight Beginner Friendly Penetration Testing Tool, which is basically a 'Swiss Army Knife' for pen-testing and/or hacking CTF's.
Aclpwn.Py - Exploit ACL Based Privilege Escalation Paths in Active Directory Aclpwn.Py – Exploit ACL Based Privilege Escalation Paths in Active Directory
Aclpwn.py is a tool that interacts with BloodHound< to identify and exploit ACL based privilege escalation paths.

14 Responses to Facebook Bug Leaks Birthday Data

  1. Qubit July 18, 2008 at 5:17 am #

    “A small slip in coding could cause much worse problems that this, plus this could have happened before but no one picked up on it.”

    It has happened before. When FB first released its API for developers, the program had access to everyone’s birthday even when they set otherwise in their settings.

  2. Navin July 18, 2008 at 4:02 pm #

    as mentioned, its not abt the fact tht Graham Cluley will be able to surprise all his friends by telling them their B’days….its abt the lethargic approcah tht facebook has taken towards the privacy f details of 80 million users!! BBC had come up with similar findings and explaits…….maybe you could read this


  3. Changlinn July 20, 2008 at 7:33 am #

    Thank god I have started to remove details from facebook, it really makes it a waste of time though.

  4. Nobody_Holme July 22, 2008 at 2:20 am #

    Just like to mention… the BBC did this about 3 months back. Then they blogged it, then they loled. Then facebook said “no, actually you cant do what you said you did”, then the beeb said “fail, we just did, heres some proof” then facebook said “d’oh”. (or something like that)

  5. Navin July 22, 2008 at 2:15 pm #

    @ Nobody_Holme

    the links right above Ur comment mate!!

    The BBC report was aired on the net news show “Click” for 3 whole episodes and this says a lot abt the leak.

    Simple solution……just don’t give away data that you don’t want to become public……its much more sensible than providing the data and then checking the “don’t share this with others in my network” button!!

  6. Morgan Storey August 10, 2008 at 8:04 am #

    @Navin: agreed but it is kind of sad that the net has come to this. I remember the days when you could post anything and everyone would pretty much respect your privacy. Even whois data isn’t safe a while ago someone started pranking one of my clients on her relatively new phone number, the only place we could find it was in her whois, well that has now been changed. Very sad.

  7. Navin August 10, 2008 at 10:41 am #

    ya, I still remember this TV report concerning online privacy. There was a black N white video showing a librarian who was in the national media scene coz she refused to keep a password for her library server account….she was so sure that doing this would not affect her privacy!! sheesh

    Its simple in my opinion….Instead of Giving your details and then choosing “don’t show my friends”, simply don’t provide any details at all!!

    In India, some bloggers who openly posted about politically sensitive issues, were literally hunted down and their blogs were suddenly shut down with no apparent reason…There’s very little freedom of speech…its all just in tht piece of paper we call the constitution!!

  8. lyz August 12, 2008 at 4:23 pm #

    Well with this kind of issues, they should really start working on their codes esp. with the growing number of Facebook users and the fact that most of them have a little knowledge on the technical side.

  9. Morgan Storey August 12, 2008 at 10:53 pm #

    @lyz: I am always surprised by friends and ex-collegues that have their facebook profiles open for anyone to look at, including dob and other details. Facebook needs to protect these people from themselves. Show only limited fields to any random that looks, and maybe ask for less details, saying these details aren’t required and may reduce your privacy. Though that doesn’t make good business.

  10. Morgan Storey August 16, 2008 at 9:50 am #

    @Navin: Just re-read your post, early Unix days the admins hated when AT&T put in passwords, so everyone just set there password to password, so everyone knew each others and could get in and get there work done. Times have changed so much, one day it may seem strange to post personal thoughts to a website as it is letting people in to your psyche.

  11. Navin August 16, 2008 at 4:10 pm #

    Oh yeah…privacy seems to be the keyword today…its almost like people have grown horns and a tail (I refer to the devil here incase U don’t get it!! :) ) Noone cared bout privacy earlier coz even if Ur id was hacked what would U lose??A few mails?? But now with millions of $$$ on the net, and real $$$ on the line…Privacy has certainly taken centre stage.

  12. Morgan Storey August 17, 2008 at 12:32 am #

    @Navin: very true, just interesting to see the changes. The internet is just like the real world, only a little bit behind the times. Security has not yet entered the whole common consciousness, some still “leave their door open” or just have the basic lock and key when they living in a bad a neighbourhood. The internet as a whole is a bad neighbourhood, a lot of miscreants, kids that want to get their name on a popular overpass.

    Last night I was having a discussion with a couple of non-security, non-IT, friends who had no issue with all their info being on facebook. I tried to explain that they have your name, and your DOB your identity is pretty close to forefit.

  13. Navin August 18, 2008 at 3:15 pm #

    And let me guess…they told U tht U were crazy and were reading too many hacking books….atleast tht’s wht my friends told me…they’re like ” Dude, the guys at facebook care bout our privacy!! They’ve gotten security experts working round the clock trying to protect our data”

    Ya “dude”, don’t come crying to me when Ur personal details gets stolen and misused

  14. Morgan Storey August 19, 2008 at 12:57 am #

    @Navin: yep, you are too deep into security to see the outside world they said. Besides they can only see that if I add them… but it is a leak I replied, they don’t need to add you. It is like hitting your head against a wall.