As most major news organizations and blogs have covered the changes that Facebook has made from a high level, I wanted to focus this post specifically on Facebook’s “Open Graph”, “Social Plugins” and “Instant Personalization”. In my opinion, these are three changes that will significantly impact the way you and your friends use Facebook. As I usually do, I will provide a point of view from the eyes of an attacker. As we all know, its only a matter of time before these new features begin to be abused by attackers.
The first significant change is Facebook’s “Open Graph”. Open Graph is a significant departure from Facebook’s previous data connection strategy which used to be centered around Facebook Connect. All of that is gone and replaced with Open Graph. Open Graph basically allows partner websites and Facebook applications to share your public information and the public information of your friends with each other. The other big change which is a departure from Facebook Connect is that developers can hold your data indefinitely. The requirement was previously only for 24 hours (and we all know developers weren’t really holding to that anyway).
What’s also interesting is that Facebook has implemented an API called the Graph API. The Graphs API is how developers can easily integrate their applications with this new stream of user data. In fact, now you don’t even need a Facebook account to search the Open Graph. For example, https://graph.facebook.com/search?q=facebook&type=post will show you 25 recent status updates. Note that these status updates are set to Everyone and it seems that Facebook has put a limit on data you can retrieve with one query (this will change most likely or you can figure out ways around this). Before you had to log in to Facebook to do a search or use some creative Google queries for this information. This is good news for attackers, spammers and data miners. Facebook has made publicly available information even easier to search for and in my opinion, is going to start competing with Google for personalized search results. Stay tuned, Open Graph is going to be a huge area that I will be focusing my research on. As a penetration tester, my job just got easier. Thanks Facebook!
Social plugins are small bits of code (the “Like” button for example) that you probably have been seeing all over the web. What Facebook has done is added simple plugins that web site developers can easily integrate. Also note that there are many more plugins available besides the “Like” button. Simply run the wizard, fill in a few lines and you’re done. Lets take the “Like” button as an example. If you are signed into Facebook (or not) you will see the button just like you do on Mashable:
Clicking on the button while you are signed in to Facebook posts a notice to your news feed that you like Mashable. The button also works when you are not logged into Facebook by prompting you to sign in. This is similar to how Facebook Connect worked. If you want to “unlike” the page, simply click the “Like” button again. Already, someone has found a potential security problem with the “Like” button that could possibly be abused by spammers. Keep in mind that these social plugins are part of Facebook’s strategy to take over the world integrate their Open Graph protocol. Once Open Graph starts to be more popular, you will see lots more attacks leveraging these new plugins.
Lastly, we have “Instant Personalization”. Instant Personalization is the feature in which Facebook has “pre-approved” third-party web sites to gain access to your public information just by visiting them. There is very little information available currently on how Facebook approves third-party sites. Once you allow these sites full authorization, they have the same access that any developer would have to your Facebook information. For example, here is what it looks like when you surf to Yelp. You will get a pretty blue bar that shows up at the top of your browser window:
You should notice that you have the option to “Learn More” or say “No, thanks”. You will also notice how instantly, if any of your friends on Facebook are using Yelp you can see any of their activity just below the blue bar.
Now something interesting happens once you visit one of these pre-approved sites. I noticed that a Facebook application (in this case Yelp) gets installed and allows it permissions to post. You don’t have to even click “No thanks”, the application is already installed. Pandora and Microsoft Docs work the same way. In fact, when testing the Microsoft Docs personalization I noticed the Facebook application that gets installed sets its privacy permissions to EVERYONE and allows one-line posts on your behalf. This means that anyone can see any activity that is posted by that application. Keep in mind that these controls are all being closely looked at by attackers and I suspect that we will see some hacks and/or abuse of this new personalization system soon.
Instant Personalization Privacy Settings
Facebook has put in a global “opt-out” check box in your privacy settings. Of course in typical Facebook fashion they have buried this setting so it’s hard to find. Ironically, just as I was writing this post Facebook changed the location of this setting. So now you have to go down one more level by clicking an additional button to get to the setting (see the screen shot below).
There are some very important caveats about this setting. First, this setting is enabled by default. Yes, that’s right. If you have a Facebook account this setting is checked right now and you are opted in. I had thought that Facebook would have learned from the Beacon fiasco but it appears they haven’t. Secondly, just because you “opt-out” doesn’t mean your information is safe. Just like other Facebook applications if your FRIENDS use Yelp, Pandora or Microsoft Docs these sites can still get your public information or anything else you have made available to be shared with friends. To completely opt-out you need to MANUALLY block each and every application (in this case Yelp, Pandora and MS Docs). It goes without saying, this is a huge pain and I look forward to the long list of complaints and privacy concerns regarding this psudo opt-out. The other problem is that I have already seen posts by Facebook that they already have partner sites that they are going to announce soon. What this means is that if you want to truly “opt-out” you need to keep up to date on all the new third-party partners with Facebook and manually block their applications. This is a terrible control in my opinion.
So where are these settings? Click on Account –> Privacy Settings –> Applications and Websites –> Instant Personalization (Click the Edit Settings button). In the screen shot below you can see the box that you need to uncheck.
UPDATE: Yvan Boily on Twitter had mentioned that you should also uncheck every box under “What your Friends can share about you” in your privacy settings (in my guide on SocialMediaSecurity.com this is what I recommend as well).
I will be updating my Facebook Privacy & Security Guide over on SocialMediaSecurity.com to reflect all of these changes soon. In the meantime, tell your friends on Facebook about these settings and check out a few other good articles on the recent changes. Here are three articles I recommend reading: Pros and Cons of Today’s Facebook Announcements by theharmonyguy, How to Opt Out of Facebook’s Instant Personalization (with a nice video walk-through) by the EFF and Facebook Open Graph: What it Means for Privacy by Mashable.