jesse fulton [dot com] - i (sometimes) blog

Facebook's Targeted Advertising Blamed In Gay British Teen Allegedly Being Thrown Out Of Home →

[A gay teen] was thrown out of his London home after his parents discovered “incriminating” gay content on his Facebook page [which] was not intentionally placed on their son’s Facebook page by him, but rather the targeted advertising generated by the site itself based on a user’s activities and relationships.

1 month ago on Jan 18

How did I miss this? (Start at about 8:30)

(via TechCrunch)

8 notes

2 months ago on Dec 04

What could make My little piece of privacy more kickass? Chiptunes.

1 year ago on Oct 21

Another Facebook privacy FAIL

I was investigating the Facebook API this morning (which has, not surprisingly, changed since the last time I’ve used it) and stumbled across the main API page which has a bunch of sample requests posted, one of them being the “User Object” request. When you click on the sample link listed there, you get a response for Bret Taylor.

I decided to mess around with Bret Taylor’s “User Object” URL to see if one would work for my profile. So I changed the “btaylor” to a “jessefulton” and lo-and-behold, I could see myself using Facebook’s API. I was logged in, so I’m glad this worked. But given Facebook’s dodgy past with security of information, I wondered if anyone could see my information using this API.

So I opened up Safari, made sure I was logged out, and tried to view jessefulton’s information using the Facebook API. Sure enough, there it was. Even though I have pretty strict security settings on my account (my own public profile page doesn’t show up for unauthenticated users) all of my information shows up there - my address, previous employers, education history, birth date, etc. Despite the fact that I’ve hidden some of that information from everyone, anyone using the Graph API can still see it!

Try it yourself… while logged into Facebook, go to http://www.facebook.com/ and click on your name in the upper left-hand corner. Your URL in your browser window should now have something like #!/jessefulton or /profile.php?id=5403540 at the end of it. Take note of the part of the URL that is italicized. Whatever that is in your browser is your User ID. Now go to Facebook’s main API page and click on the link to see Bret Taylor’s user information. In the URL on that new page, change “btaylor” to the User ID you pulled from your profile page. You should be seeing all of the information you’ve entered into Facebook regardless of your privacy settings.

Want some more privacy fun? Try adding /videos or /notes after your User ID in the API URL. Or just check out this browser that someone wrote using these same security holes.

So, keep in mind how poorly architected and mismanaged (this was originally documented over 5 months ago) the Facebook application is before you go and share all of your information with the world, because even if you think it’s protected… it’s not.

1 year ago on Oct 02