Phishing for Convenience on Facebook
Tuesday December 18, 2007 at 2:10 pm CST
Posted by Craig Schmugar
We often talk about the trade-offs between security and convenience, especially as it pertains to Web 2.0. Much of the technologies utilized by Web 2.0 sites were built for collaboration and a rich user experience, which has really fueled the explosion of social networking sites like MySpace, Facebook, and others. Today I bit the bullet and created a Facebook account, only to observe a prime example of security taking a backseat to convenience. Here I’m not criticizing the security of Facebook’s servers or applications so much as the expectation the site is establishing with its user base. The pages in the screenshots below are served over a secure HTTPS connection, but the information Facebook is asking for is what you’d expect to find in a typical phishing attack.
The page in question is https://register.facebook.com/findfriends.php. When navigating to this page without logging in, it appears as follows:
 |
This page is tame compared with the version you get once you’ve logged in:
 |
To recap, for your convenience, Facebook is allowing you to enter in the following information:
• Email username and password
• AOL Instant Messenger username and password
The site also asks you to click “Yes” when prompted to display “nonsecure items” so that you can the download and execute an application named “facebook.exe” (from an insecure site), so that the program can then harvest your Outlook contacts and upload them to their server.
I’m not suggesting that Facebook has anything other than good intentions here, but training users to handover confidential information for a little convenience is not a good thing.
P.S. The CAPTCHA is real.
December 18th, 2007 at 18:18
I totally agree with you. I think its ridiculous that people actually offer to give away their personal information too. Another such website is Tagged.com
December 18th, 2007 at 22:36
Facebook is by far not the only social networking site that does this. Plaxo, Spock and others have pretty much the same capability.
Regards,
Vesselin
December 19th, 2007 at 05:30
That is a stunning display of stunning stupidity. And yet, if you asked 98% of the people who gladly provide that information where they are least secure, they will say something silly. Sigh.
December 20th, 2007 at 11:35
EVEN after working computer security at my company for 10 years, I fell for the Facebook info requests because so many of my colleagues were using the program.
The request for your e-mail logon and password to access your Outlook contacts did not occur to me that data could be harvested and kept due to the Facebook caveat that they do not keep it. Hummm, would you buy a used car from these people?
In the past several months I have found Facebook all but un-usable due to the constant add-ons and screen paint delays. I use it less and less. So what happens to the data one has already stored or had logged?
Thus I ask: If I delete my account (can I delete my account?) does Facebook have my data as long as they want?
February 4th, 2008 at 01:14
Yes, you can delete your account from Facebook. And yes, some info is stored in order to successfully identify you if you delete your account then choose to sign back up. Try it.