Saturday 31 July 2010

How 100 mn Facebook users' info got leaked

Facebook SecurityThe man who harvested and published the personal details of 100 million Facebook users has said that he only disclosed what was already public information.

Ron Bowes, a security consultant, used a piece of code to scan Facebook profiles, collecting data not hidden by the user's privacy settings.

The list, which contains the URL of every searchable Facebook user's profile, name and unique ID, has been shared as a downloadable file. Bowes said that he did it as part of his work on a security tool.

"I'm a developer for the Nmap Security Scanner and one of our recent tools is called Ncrack," the BBC quoted him as saying. "It is designed to test password policies of organisations by using brute force attacks; in other words, guessing every username and password combination," he added.

By downloading the data from Facebook, and compiling a user's first initial and surname, he made a list of the most common probable usernames to use in the tool.

In theory, researchers could then combine this list with a catalogue of the most commonly used passwords to test the security of sites. Similar techniques could be used by criminals for more nefarious means.

Bowes said his original plan was to "collect a good list of human names that could be used for these tests.” "Once I had the data, though, I realised that it could be of interest to the community if I released it, so I did," he added.

Bowes confirmed that all the data he harvested was already publicly available but acknowledged that if anyone now changed their privacy settings, their information would still be accessible.

"If 100,000 Facebook users decide that they no longer want to be in Facebook's directory, I would still have their name and URL but it would no longer, technically, be public," he said.

Bowes said that collecting the data was in no way irresponsible and likened it to a telephone directory. "All I've done is compile public information into a nice format for statistical analysis," he said

In a statement, Facebook confirmed that the information in the list was already freely available online. "No private data is available or has been compromised," the statement added.

Bowes supported the view by adding that harvesting this data highlighted the possible risks users put themselves in. "I am of the belief that, if I can do something then there are about 1,000 bad guys that can do it too. For that reason, I believe in open disclosure of issues like this, especially when there's minimal potential for anybody to get hurt.

"Since this is already public information, I see very little harm in disclosing it," he said Facebook has a default setting for privacy that makes some user information publicly available. People have to make a conscious choice to opt-out of the defaults.
Blogged with the Flock Browser
Share/Bookmark

0 comments: