Facebook API Privacy Hole Exposed by Web Developer
![Facebook API Privacy Hole Exposed by Web Developer [Facebook Founder Mark Zuckerberg’s Events Accessed, Official Response Pending]](http://nexus404.com/Blog/thumbnailimages/alt/Facebook-tilted-reflected-logoTFTSThumb220153.jpg)
Facebook has, of course, suffered from privacy issues before – such as temporarily revealing private email addresses – and now its facing another as uncovered by web developer Ka-Ping Yee, who works as a software engineer for the charitable arm of Google, who’s discovered that Facebook’s new API – and specifically their Graph API released last Friday – is flawed.
The flaw uncovered by Yee will, in certain cases, allow users to see public events that other users (not friends) either have attended or have committed to attend and, by way of demonstration of the API privacy flaw, Yee managed to access a list of public events relating to none other than a certain Mark Zuckerberg, as seen below (Zuckerberg being Facebook’s founder, in case you’ve wondering).
“Using a freshly created account with no connection to you, anyone can make requests to the new Graph API and get a list of events, with dates, descriptions, and locations,” Yee states in an entry on his blog. “Based on my experimentation, it looks like this list contains any event that (a) has a privacy setting of “Open” and (b) you have marked as “Attending” or “Maybe Attending”. The content of the event itself is also available, including any comments posted on the event and the names of other people who are invited or attending.”
Of course, the events privacy settings need to be open, as Yee explains above, so what’s the problem, you may ask? Yee explains, “there’s a big difference between publishing an event page with a list of people attending, and publishing a list of events that you attended. Before the new API, to find out which events you attended, I’d have to visit every single event page on Facebook and look for your name among the people attending.” He adds, “Now, I can just ask the API what you’ve been doing, and it will tell me.”
The latest update on Yee’s blog confirms that whilst some users are reporting that their events are indeed exposed others say their events seem to remain hidden and Yee has confirmed that he’s contacted Facebook asking why this should be the case (a reply is pending, we assume).
So, to your knowledge, are you affected and, either ways, are you concerned? Do feel free to let us know as Yee, and we, await Facebook’s response to the issue.
Credit: Source.Mark Zuckerberg Announces Impressive Purchase, Instagram Staff to Join the Ranks of Facebook, Instagram Support Coming to Facebook Soon
Mark Zuckerberg Announces Organ Donation Feature For Timeline, Will Let You State You Are A Donor & Also Share Why You Decided To Become A Donor
Giving Your Facebook Password To Anyone Is Now A "Violation" Of Facebook's Statement of Rights & Responsibilities
New Study Shows Users Spend an Average of 3 Minutes Per Month Inside Google+, 6-7 Hours on Facebook
Facebook Launches 2nd Annual Hackathon With Thousands of Dollars & Trip to Facebook's Headquarters at Stake, Plus Street Cred as Developer
Breaking News
The TFTS Team
