If you’ve been wondering why Facebook chat was mysteriously “down for maintenance” during normally high-usage hours this morning, it’s probably because they were alerted this morning to a pretty serious security hole in their privacy settings.
The hole allowed for what can only be called one of the easiest exploits in recent memory; it allowed any Facebook user to see his or her friends’ live chats and pending friend requests just by typing their names in the site’s built-in privacy preview page. TechCrunch Europe received a tip about it, along with a link to a YouTube video (below) showing the exploit in action earlier this morning, and notified Facebook almost immediately.
Whether it’s the way they’ve made it nearly impossible to simply upload a profile picture without getting hassled to install worthless software, or the fact that at any given point in the day, something on Facebook is horribly broken; disaffected Facebook users already have enough to worry about without having their friends eavesdropping on their private conversations.
A site this broken is usually tagged with in beta! — and come with caveats like use at your own risk.
Facebook’s reaction to the exploit was surprisingly straight-forward:
“For a limited period of time, a bug permitted some users’ chat messages and pending friend requests to be made visible to their friends by manipulating the “preview my profile” feature of Facebook privacy settings. When we received reports of the problem, our engineers promptly diagnosed it and temporarily disabled the chat function. We also pushed out a fix to take care of the visible friend requests which is now complete. Chat will be turned back on across the site shortly. We worked quickly to resolve this matter, ensuring that once the bug was reported to us, a solution was quickly found and implemented.”
This latest in a long line of completely preventable screw-ups only goes to show that the only thing Facebook’s team isreally good at is showing the world time and again that it’s technically inept and largely irresponsible — but at least they’re learning to quickly admit their failings.
Now, all the recent buzz about Facebook’s privacy shortcomings (yes, it’s an understatement) has many users wanting out. Unfortunately, leaving Facebook can prove to be much more difficult a prospect than anyone could have guessed, and most users simply give up after falling under the impression that they can’t delete their accounts.
While it may be difficult, deleting your Facebook account is not impossible; you just need to know where to look. For one thing, users often get lost trying to find account-ending options because Facebook has questions about them labelled misleadingly; in this case it’s “Security: Hacked Account.”
Once there, you’ll see that after lengthy stalling, it finally gives you a link to the fabled account deletion request form. Don’t think you’re completely out of the woods once you hit that final submit button though, because they’ve built in a 14-day cooling-off period that keeps your account frozen but available should you change your mind.
If you don’t quite want to delete your account, you may be toying with the idea of deactivating it. You might think that deactivation is good enough, since Facebook says that “your profile and all information associated with it are immediately made inaccessible to other Facebook users.” What’s missing here is a breakdown of exactly what happens to your account. While it’s true that your profile will be ghosted, you won’t be. You can still be tagged in photos, notes, and status updates just like normal. For all intents and purposes, most people won’t notice you’ve left — because you really haven’t.
If you’re going to kill your account, be sure to uninstall any Facebook Mobile apps from your phones, clear Facebook cookies, and make sure you don’t leave any Facebook Connect sites set to automatic login. If you accidentally log into your account during those final 14 days, you reactivate your account and have to go through the process all over again.
Sometimes, there really is no shame in quitting.
You’ve got to hand it to Facebook. They certainly know how to do security — not.
Today I was tipped off that there is a major security flaw in the social networking site that, with just a few mouse clicks, enables any user to view the live chats of their ‘friends’. Using what sounds like a simple trick, a user can also access their friends’ latest pending friend-requests and which friends they share in common. That’s a lot of potentially sensitive information.
Unbelievable I thought, until I just tested the exploit for myself.
And guess what? It works.