Facebook suffers yet another security issue.

May 20, 2010

It appears that Facebook has suffered from yet another security issue that allows users to view and change private profile information.

As reported by Alert Logic:

“Alert Logic discovered a vulnerability in Facebook that could have led to exposure of private information or defacement of user pages. If the user clicked a specially crafted link while signed into Facebook, the attacker would have been able to modify user privacy settings or alter the user’s profile.”

Facebook's servers use a special token called a "post_form_id" to track the activity of a browser when performing various tasks, such as liking a group, but by deleting this token from the request, the user was able to make various changes to account by passing the privacy security.

This comes in the heels of another bug reported a couple of weeks ago that enabled users to snoop on live chats of their friends.

There are many users that that are losing patience with the lack of security around the site and rushing to close their accounts.  Just check out the rise in Google queries for people seeking to delete the accounts.

Bizarrely as the popularity of Facebook has increased, the privacy has been eroded.  When Facebook first launched, only students of Hardvard could apply and you had to prove you were a Hardvard student.  But now, anyone can create an account without any verification.  But it is in Facebooks interest to share more information because this is how they make money.

It does not help Facebooks reputation when it’s creator Mark Zuckerberg (who allegedly stole the idea) has such a poor attitude toward privacy.

However, if Facebook privacy does bother you then the best advice is not to post this type of information on the internet anywhere.  Whilst I wholly agreed with this statement the fact is that the system is not working as expected so users lose faith in the service and stop trusting Facebook which has the potential to damage its reputation and subsequent investment.