Late last week I got a message from someone who wants to be known as “The Harmony Guy,” saying he had devised a method that could have been successful (eventually) in meeting the terms of the SMUG $100 Facebook Hacker Challenge. Harmony Guy is a social hacker of the “white hat” variety, as you’ll see in his blog, where he publicly exposes security flaws from social networking sites and urges the companies to fix them.
I learned a lot about Facebook security through my interaction with him, and if you click the (more) link, you will, too. Here’s what he said:
I noticed that you’ve withdrawn your challenge… since that’s the case, I’ll go ahead and let you know what I was up to. I’m a little disappointed that it’s over, because I did find a method that works, albeit indirectly.
You got a message from me last week asking you to look at an application I’d created. I am an amateur Facebook developer, and the application worked as advertised – it’s very simple and you wouldn’t notice anything unusual when you used it.
However, last week I inserted some code that would automatically e-mail me all the info on your group, including the “Recent News” section, as soon as you accessed the application. In a way, the modified application is a (targeted) Facebook version of phishing.
I was hoping you’d check the application not only for the reward but so that I could use it as a springboard on my own blog to talk about Facebook applications and access to data. The technique illustrates to me how much power Facebook applications have – though I’ll add that Facebook’s platform security makes them much more limited than it could be. The platform is essentially designed on the honor system, since Facebook doesn’t have a way to directly tell if applications are storing data or not. And any time a user access an application, that app typically can get to anything on Facebook the user can get to.
So far I’m not aware of any issues with rogue applications, but I wouldn’t be surprised to see people taking advantage of simple, viral apps (I get invites every week for some new quiz application) to unknowingly collect data from users.
I wasn’t sure if you’d count my technique, since technically it’s not a hack of Facebook, merely leveraging the power of the platform, but I thought I’d try anyway. The second part (uploading a picture) would have been much more difficult, since it would essentially require spoofing user credentials… I had some leads on possible methods for getting myself invited to your group (one of which would also require a quasi-phishing technique), but they still would have required more effort before they worked.
And later he added…
One more thing – while you’re right that you made things easy by disclosing the address of the group, I could adapt the code in my application to get info on other secret groups you’ve joined, so even if I didn’t know much about the group the hack would still work.
And to clarify, in case you wondered, I only did this as part of your challenge and have no malicious intent – I too would not want to get my Facebook canceled over a TOS violation either, and by issuing the challenge I took that as your consent for letting me access your data like this. Besides, I’m not sure my code actually violates the letter of the TOS by the way I set it up.
My response was:
Hi Harmony Guy – I will be blogging about this, and will protect your identity.
So can you get information beyond the “Recent News” section?
And is it based on me accessing the group? I’m assuming that if there were other group members, and one of us had installed your application, the information in the group would be emailed to you. Is that right?
Thanks for contributing to the growth of my knowledge about Facebook security. I will check out your application so you can prove that it works.
I then installed the Facebook application Harmony Guy had sent me previously, and the next day I got this note from him:
The information about a group that an application can access is fairly limited – it includes things like description, location, web site, etc. An application can also get a list of group members. The access is based on you being a member of the group – my code was targeted at you specifically, but I could have easily adjusted to grab the information from any group member.
I should add that I don’t think my technique invalidates your point that Facebook is a secure place to do business. (emphasis added) Since the initial challenge was simply to read the recent news section, that’s what I did – but I can’t currently do much more. For instance, I’m not aware of any way for me to access the group discussion board without joining the group. Applications can access a good deal of information about a user, but I would assume people aren’t posting sensitive business information on their profiles. Most communications with other users, such as messages, are not accessible to applications.
For the record, Harmony Guy then did send the text I had placed in the “Recent News” section of this secret group.
So what does this all mean for people wanting to use Facebook for business communications?
- As I said previously, putting bank account or Social Security numbers or nuclear missile launch codes in a secret Facebook group is a bad idea.
- Steve Jobs might not want to use a secret Facebook group to discuss launch plans for the newest iPhone, but if your information isn’t that hot, you’re probably safe. For mundane business communications that don’t involve major strategic discussions, you should have virtually no risk. Let’s face it: most of what you would be discussing in your group would be really boring to almost anyone.
- You probably want to be careful which Facebook applications you install, and how many people you invite to be in your secret group. More users means more opportunity for a purposeful or inadvertent leak (just as it does with group e-mails).
- A secret group in Facebook is a good way to communicate via the messaging functions, and those messages cannot be accessed by Facebook applications.
- Keeping your secret group a secret instead of publishing its URL on your blog would keep your data a lot safer.