The Channel Wire

March 25, 2008

Facebook, the widely-used social networking site, has come under fire Tuesday for a security loophole that made it possible for strangers to view users' personal photos. At the same time, a security expert revealed Facebook may also be the target of a new attack in which hackers invade users' accounts and randomly upload ghastly pictures to their photo albums or alter personal text.

On Tuesday, the Associated Press reported that a Facebook security hole makes it possible for strangers to view users' personal photos. According to the Associated Press, a Canadian computer technician was able to pull up pictures posted by Facebook members and their friends, despite privacy settings being set to restrict the audience to a limited number of friends.

Facebook said that bug was fixed quickly. Before that, however, the Canadian technician was able to trick the site and find private pictures of Paris Hilton and several others who had not given him access to their photos, the AP noted.

These two new flaws come roughly a week after Facebook, which boasts 67 million users, introduced privacy updates that gives users more control over the information they choose to share on the site. The updates give users the ability to share and restrict information based on specific friends or friend lists.

The Palo Alto, Calif.-based Facebook came under fire late last year when it allowed users to turn off a controversial feature called Beacon, which monitors the Web sites they visit and shares them with friends.

And while strangers being able to look at private pictures may be startling, another Facebook discovery revealed this week was even more chilling.

Chris Boyd, Webmaster for Vitalsecurity.org, a computer security company, and director of malware research of security vendor FaceTime, said he's received confirmation of at least two hijacked Facebook accounts, which he said he believes were invaded by the same person, Boyd said he expects more news soon. In one case, the hacker posted pictures of children being tortured into the Facebook user's photo album. In the other, the user's account was entered and personal text was completely altered.

"So far, I only have one definite confirm on at least two accounts that were taken over (most likely by the same individual), one of which had the child torture pictures uploaded to it, and the other " well, it wasn't child torture, but it nearly cost someone their marriage, according to my friend," Boyd wrote in his blog.

Boyd said the new attacks, which happened a few weeks back, go well beyond invasion of privacy, however. The victims were not related in any way, Boyd said, however, they were both on one user's friends list.

"We're trying to see if anyone else has been hit by this," Boyd said. "These kinds of thing have a chilling effect on social networking."

Boyd added that he's heard rumblings of other hacks as well.

"I've also heard a few mutterings about other accounts taken over with extremely dubious content posted to them, but nothing confirmed on those yet," Boyd said.

Boyd said it's still unclear if the attacks were isolated incidents or if they're part of a larger hacking or hijacking. He said it's most likely that the two victims were targets of a phishing scam that used Facebook as the bait.

Boyd advised caution, especially for folks access Facebook from work. He said it's not necessarily time for Facebook users to panic, but taking better care with login credentials and other applications could help avoid such attacks.

"Obviously, if you're at work (or even at home) and you suddenly click into the kind of material mentioned above, you could get into all sorts of trouble real fast," Boyd wrote. "While I'm not about to suggest everyone jumps out of Facebook right this instant, I would advise extreme care with your login credentials while this lunatic is on the loose."