Wednesday, 5 May 2010

BBC News - Facebook fixes embarrassing security flaw

Facebook logo reflected in an eye Facebook privacy is once again under scrutiny

Facebook has fixed a security flaw that allowed users to eavesdrop on the live chats of their friends and see their pending friend requests.

The exploit used the site's privacy features - intended to protect a user - to expose the personal information.

With just a few clicks users could spy on their friends' personal chat messages and see who had requested to join their network.

Facebook has temporarily removed its chat facility while it fixes the flaw.

The exploit - originally reported by the blog TechCrunch - worked via an option in privacy settings that allows people to preview their profiles as it would appear to their friends.

Prompt fix

But it was never intended to show others what their friends were actually doing.

"For a limited period of time, a bug permitted some users' chat messages and pending friend requests to be made visible to their friends by manipulating the 'preview my profile' feature of Facebook privacy settings," Facebook said in a statement.

"When we received reports of the problem, our engineers promptly diagnosed it and temporarily disabled the chat function. We also pushed out a fix to take care of the visible friend requests which is now complete," it added.

The chat function will be turned back on "shortly" it said.

"For any organisation, whether you are a social networking site or not, privacy breaches are worrying," said Candid Wueest, security expert at Symantec.

"Unfortunately, this isn't the first privacy breach of its kind to plague a social networking site - other high-profile sites have also been affected with similar problems."

He praised Facebook's quick response to the issue.

"Facebook has acted quickly in fixing the alleged flaw, whereas some social networking sites have been known to take days to fix issues reported," he said.

Confirms my doubts about FB!Everyone should check their security settings.

Posted via web from dannymaher's posterous

No comments: