14 DAY TRIAL // FBHive, a new blog that promises to deliver up-to-date news and information about all things Facebook, dropped a social networking bomb yesterday, by announcing a simple hack that allowed virtually anyone to view a Facebook user's basic profile information. The disclosure finally sent the network's security team rushing to fix the bug, even though FBHive contacted Facebook about it since June 7.
"With a simple hack, everything listed in a person’s 'Basic Information' section can be viewed, no matter what their privacy settings are," the FBHive editors wrote. In order to back up their claim, they released screenshots with what was supposed to be the private info of Facebook's own CEO, Mark Zuckerberg, or Digg's Founder, Kevin Rose.
As the "twenty-something guys" running FBHive pointed out, this "Basic Information" was not so basic after all. It can include a user's gender, birthday, siblings, parents, relationship status, hometown and even political or religious views. Such personal details can easily facilitate social engineering scams or can be used to guess other people's answers to default security questions.
According to TechCrunch, Facebook later announced that, "We have identified this bug and closed the loophole. We don’t have any evidence to suggest that it was ever exploited for malicious purposes." This is consistent with FBHive editors' claim that they are not malicious hackers.
The Facebook fans returned with a post today, detailing how the hack worked. "The exploit involved fooling the 'edit information' section of your profile to display another user’s details when you finish editing your basic information," they said. In order to change profile ID numbers in POST requests, the hackers used the Tamper Data Firefox add-on.
The "Basic Information" section was the only one affected by this bug, the FBHive guys noting that the hack failed to work with contact information, or any of the other details. Furthermore, they claim that their original decision to go public with the issue was to raise awareness and force Facebook to react more promptly.
"We have already reported this bug to Facebook on June 7th 2009, through multiple avenues, but it has received little attention. Hopefully this incites a little more action from them," the FBHive editors wrote in their original announcement. This goal was ultimately achieved and everyone's private info is now again how it should have been from the start – private.