Social Networking

Category: Social Networking

The Serious Privacy Issues with Facebook

May 7, 2010 at 9:53 PM

Facebook has been making a lot of changes recently and many of which I am not pleased with them. Most of the issues mainly come down to privacy, which is slowing eroding away. The default privacy settings on Facebook are defaulted to Everyone. Everytime a new privacy setting comes along, it’s setting is usually defaulted to Everyone. It seems that Facebook is trying to push users to be more open and public whether if they know it or not and if they like it or not.

One of the recent changes on Facebook is that the information that is listed on profiles have been turned into “Connections”. This means that now just about every piece of information listed on your profile is now associated with a page you like (or are a fan of), and they’re public too. This includes your current city, hometown, education, work history, and all your interests and activities. The problem with this is your connections are now public to everyone. Sure, you can control the “Visibility” of them on your profile, but that doesn’t mean they won’t show elsewhere on the site publicly to others that aren’t your friend. For example, when you make a connection to a page by simply liking the page, it is possible that you will show up on the page under the list of the people that like that certain page. There is, however, pages you cannot control the “Visibility” of on your profile and these pages are ones that not categorized, which are the ones placed under the Other category, in your interests. Also, every page you like is also able to show posts on your news feed unless you explicitly choose to hide them from your news feed or decide unlike the page.

I have decided to unlike every page I “liked” since I have became annoyed with all the news feed spam I received from these pages and how the connections were made public to everyone. This means that I no longer have any interests listed on my profile, oh well. I have noticed that when you do list your current city, hometown, education, and work history, you do not automatically like the page associated with it. This means if you unlike these pages, Facebook does not remove these pieces of information from your profile.

Another issue is that if you mention a page’s name in any post on your wall, it may show on up the page itself without you having any say of this happening, regardless if you have a connection with the page or not. If the privacy on the post mentioning the page is set to public, it may be visible for everyone to see on that page.

You are automatically opted in Instant Personalization which automatically shares your public information. Currently sites such as Docs.com, Pandora, and Yelp are able to see your public information. You can opt out from Instant Personalization, but this does not prevent your friends from sharing information about you to these sites, which Facebook says, “Please keep in mind that if you opt out, your friends may still share public Facebook information about you to personalize their experience on these partner sites unless you block the application.” So in order to fully opt out, you must block every application that is part of Instant Personalization to prevent any information from being shared, which is completely unacceptable.

Data you have set to private is shared with apps you use on Facebook. Almost all your data is shared with applications you authorize. Even your friends can share information about you to applications they use without you knowing. This is a big issue since you are now trusting the application developers to keep your data private. Many of application developers are unknown and this creates a major risk of your private data spreading. Facebook does not check applications to see if they are indeed doing something malicious such as ones out there to steal user’s information.

Dislike Button on Facebook? O RLY?

11 Comments

November 8, 2009 at 12:26 PM

So Facebook has tons of fake group and fan pages cause people can’t get enough attention. Most of them I don’t care but this one I feel like writing about. I start to see my friends joining a group called “DISLIKE BUTTON is finally here– Add it now!” I obviously know the group is fake but I go to check it out anyways.

This group has instructions on how to get a dislike button on Facebook. I know it’s not true, but here are the instructions for supposedly getting a button:

NOTE: IF YOU DO NOT DO EACH STEP CORRECTLY, THIS WILL NOT WORK.

Step 1: Follow this twitter application http://twitter.com/guinnessrecord

Step 2: Click invite people to join!

Step 3: While you have the invitation page up, copy and Paste this script into your address bar EXACTLY AS IT IS and hit enter:

javascript:var numfriends=document.getElementById(‘friends’).getElementsByTagName(‘li’).length;fs.click(document.getElementById(‘friends’).getElementsByTagName(‘a’)[1].parentNode);for(var i=0; i < numfriends; i++){fs.click(document.getElementById(‘friends’).getElementsByTagName(‘a’)[i].parentNode);}

Step 4: Confirm invitations sent.

Step 5: To finally get the dislike button you must then click here- http://tinyurl.com/fbdislikebutton If that link doesn’t work, make sure you thoroughly completed steps 1-4-5.

HINT: If it didn’t work. You didn’t do it right; repeat steps 1-4.

Lets get into detail:

Step 1 is just obviously the user wants more followers on Twitter.
Step 2 is getting people to go to the Invite Friends page.
Step 3 is just executing JavaScript code in order to have everyone on the Invite Friends page to be selected so users don’t waste their time selecting everyone.
Step 4 is sending out the invites to all your friends.
Step 5 goes to http://www.facebook.com, how do I know? It’s called http://preview.tinyurl.com/fbdislikebutton

See, just another fake Facebook group wasting my time and I got gullible friends joining this crap.

Login By Username On MySpace By Emulating iPhone Login

1 Comment

October 31, 2009 at 8:16 PM

One day I was logging onto MySpace using the iPhone app, I was curious to try using my username (it’s your vanity URL, if not set it’s your Friend ID), and it worked. Now I’m not sure why MySpace freaks out over being able to login by the username because Facebook intentionally allowed logging in by username earlier this month.

Since this login works on the iPhone/iPod Touch, there has to be a way to bring it to the computer in order to use this method. Since my router is pretty much a Linux server running DHCP on it, I could easily run a packet sniffer in the middle to find out how the iPhone/iPod Touch was communicating to MySpace. The packet sniffer I used was shell based and is called Justniffer.

After figuring out the packet sniffer I figured out that the iPhone app uses SOAP+XML to exchange data. Once you type in the username and password, it sends the password in clear text to MySpace in order to create a hash and salt of the password. I am not sure why they really need to do this since you already sent the password over clear text, they could just save themselves a HTTP request by doing it in the actually login process.

Update 11/5: MySpace has fixed this issue and logging in by username no longer works. The following error now occurs, “The email supplied is not registered to a valid user.”

The first step of the authentication request makes the following HTTP request:

POST /SecurityService.asmx HTTP/1.1
Host: mobileservices.myspace.com
User-Agent: MySpace/1.6 CFNetwork/459 Darwin/10.0.0d3
Content-Length: 595
Content-Type: text/xml; charset=utf-8
Authorization: OAuth realm="http://mobileservices.myspace.com/",oauth_consumer_key="1000002",oauth_token="",oauth_signature_method="HMAC-SHA1",oauth_signature="MC37B2CcYBDeJPlT%2BT1jsjCZPSM%3D",oauth_timestamp="1256437313",oauth_nonce="9EC617B6-DEB7-427A-9463-B6AE3CFD8F4A",oauth_version="1.0"
Soapaction: urn:MySpace.IntegrationServices/GetSaltAndHash
Accept: */*
Accept-Language: en-us
Cookie: SessionDDF1=2962622b49c74a011793142740791e622b72e026b3477387; SessionDDF2=22b8f3a96cb338ae3990d279b29cefa01e58e2c5118f4486
Connection: keep-alive

<?xml version="1.0" encoding="utf-8"?>
<soap12:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap12="http://www.w3.org/2003/05/soap-envelope">
<soap12:Header>
<MySpace xmlns="urn:MySpace.IntegrationServices">
<Version>iPhone: 1.6</Version>
<DeviceID>b6aaa9591ef5811e499ee1bf04758b3533eaccd7</DeviceID>
</MySpace>
</soap12:Header>
<soap12:Body>
<GetSaltAndHash xmlns="urn:MySpace.IntegrationServices">
<request>
<TokenType>Mobile</TokenType>
<Clear>p@ssw0rd</Clear>
</request>
</GetSaltAndHash>
</soap12:Body>
</soap12:Envelope>

In this example the password simply is p@ssw0rd. Notice how there is no spot for the username in this request, all it does is create a salt and hash based on that password. I have no idea why this is necessary but knowing MySpace they obviously think it is.

This request will outcome the following HTTP response:

HTTP/1.1 200 OK
Cache-Control: private, max-age=0
Content-Length: 547
Content-Type: application/soap+xml; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Server: 7b262264f255ce9e4eea78ee5ed43e765b933575b6ad33d5
Set-Cookie: SessionDDF1=8c39718f6f8758c74900ce98793335c96e886d8666f52130; domain=.myspace.com; path=/
Date: Sun, 01 Nov 2009 02:52:01 GMT
Connection: keep-alive

<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<soap:Body>
<GetSaltAndHashResponsexmlns="urn:MySpace.IntegrationServices">
<Results>
<Status>Success</Status>
<StatusCode>Success</StatusCode>
<SecurityComponents>
<Salt>Q8NysHYF/cKqV/+RES0NdA==</Salt>
<Hash>N+HrTQhAJencbKruQ2e8/qDKhELcJDq824aoSYzl5MA=</Hash>
</SecurityComponents>
</Results>
</GetSaltAndHashResponse>
</soap:Body>
</soap:Envelope>

Now since they have received the salt and hash, we can proceed onto step two of the authentication. This actually verifies the login information with the salt and hash along with the username or email it has received. This step makes the following HTTP request:

POST /SecurityService.asmx HTTP/1.1
Host: mobileservices.myspace.com
User-Agent: MySpace/1.6 CFNetwork/459 Darwin/10.0.0d3
Content-Length: 858
Content-Type: text/xml; charset=utf-8
Authorization: OAuth realm="http://mobileservices.myspace.com/",oauth_consumer_key="1000002",oauth_token="",oauth_signature_method="HMAC-SHA1",oauth_signature="L3vOxtNAADDGBRv2i16UvMoP97g%3D",oauth_timestamp="1256437314",oauth_nonce="E493D130-9496-4A17-A861-5862C657DF57",oauth_version="1.0"
Soapaction: urn:MySpace.IntegrationServices/Authenticate
Accept: */*
Accept-Language: en-us
Cookie: SessionDDF1=2962622b49c74a011793142740791e622b72e026b3477387; SessionDDF2=22b8f3a96cb338ae3990d279b29cefa01e58e2c5118f4486
Connection: keep-alive

<?xml version="1.0" encoding="utf-8"?>
<soap12:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap12="http://www.w3.org/2003/05/soap-envelope">
<soap12:Header>
<MySpace xmlns="urn:MySpace.IntegrationServices">
<Version>iPhone: 1.6</Version>
<DeviceID>b6aaa9591ef5811e499ee1bf04758b3533eaccd7</DeviceID>
</MySpace>
</soap12:Header>
<soap12:Body>
<Authenticate xmlns="urn:MySpace.IntegrationServices">
<request>
<RequestData>
<Hash>N+HrTQhAJencbKruQ2e8/qDKhELcJDq824aoSYzl5MA=</Hash>
<CaptchaInfo>
<CaptchaLevel>Medium</CaptchaLevel>
<CaptchaGuid></CaptchaGuid>
<CaptchaImageSize>Sz120</CaptchaImageSize>
<CaptchaText></CaptchaText>
</CaptchaInfo>
<Salt>Q8NysHYF/cKqV/+RES0NdA==</Salt>
<Credential>somerandomusername</Credential>
</RequestData>
</request>
</Authenticate>
</soap12:Body>
</soap12:Envelope>

In this request we have used the hash and salt, along with the username which is called Credential here. In this example it is somerandomusername. Now since this is all sent the following HTTP response occurs:

HTTP/1.1 200 OK
Cache-Control: private, max-age=0
Content-Length: 566
Content-Type: application/soap+xml; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Server: 12e0f2a61ef7e974de69e6f93fc8612bb56e8a9e86e1792c
Set-Cookie: SessionDDF1=ee28a6c308e5ab151a34f39f979df9e80737ca2a9eeb80d7; domain=.myspace.com; path=/
Date: Sun, 01 Nov 2009 02:59:28 GMT
Connection: keep-alive

<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<soap:Body>
<AuthenticateResponse xmlns="urn:MySpace.IntegrationServices">
<AuthenticateResult>
<StatusMessage>Invalid username or password.</StatusMessage>
<Status>Error</Status>
<ErrorInfo>
<Name>InvalidCredentials</Name>
<Description>Invalid username or password.</Description>
</ErrorInfo>
</AuthenticateResult>
</AuthenticateResponse>
</soap:Body>
</soap:Envelope>

Since the the password to somerandomusername is invalid, we are presented with “Invalid username or password.” I honestly do not understand why there needs to be a creation of the salt and hash before the actual authentication request is made.

Now since I know how the requests are made, I’ve wrote a program to emulate these requests. The program was created with Eclipse using Java 1.6.

The program can be downloaded here.
The source code is included and the program may be modified and redistributed freely.
DISCLAIMER: I am not liable for ANY damages caused by this program.

Here are screenshots of the program in use:

Arguments for the program.

Example of a failed login.

Example of a failed login on a locked out account. Notice in the response it says “There was an error in processing this request.”

Example of a successful login.

Facebook Friends Edit Pencil Disappeared?

2 Comments

September 3, 2009 at 3:04 PM

Here’s a little annoyance, I go to edit the Friends box on my profile on Facebook to make it show more friends, and I noticed the pencil is gone. Great, and it appears people were having this issue for a few days now. I’ve even found a couple of questions on the Facebook Help Center about it. I decided to study the issue, appears it’s a CSS styling error. Appears Facebook is having a lot of these problems recently, and they haven’t fixed them but instead they have been busy publishing press blog posts and interviews, of course.

I first mentioned in that Help Center thread:

This seems to be to happening to all Boxes except for the Information one. It appears to be a CSS styling problem for the pencil not to be appearing.

I have noticed the CSS problems growing (i.e., the header). There have always been cases of boxes popping up randomly too. Hopefully Facebook doesn’t become another MySpace and fixes these issues.

Then later on I found a workaround:

Hmm, it appears I figured out how to pop it out.

If you are using Firefox and have the add-on extension Firebug, do the following:

1. Right click on the Friends label of the Friends box and click Inspect Element.
2. Here it highlights when the console pops up, right above it should say: <div id=”box_app_2356318349″ class=”box”>
This is the one you want. Note that the numbers in the ID may be different, don’t worry about this.
3. Click on the “box” part of the tag and put this in “basic_info_summary”
It should look like this afterwards: <div id=”box_app_2356318349″ class=”box basic_info_summary”>
4. Click the pencil, notice how it pops up now.

This is a workaround I’ve found, hopefully Facebook fixes this, I doubt most users will understand my instructions but I tried my best to clearly to explain them to users having this problem.

So everytime you are going to have to use that workaround to edit the Friends box, or any other box for that matter until they fix the issue (all the pencil icons except for the Information box disappeared for me -.-).

Update: These same instructions for the workaround appear to work for Chrome, according to the Help Center thread.

Update 2: Appears Facebook has fixed this issue.

MySpace Denies Xbox LIVE Gamercard App Twice

0 Comments

September 2, 2009 at 12:36 PM

In the past I deleted this app as MySpace was never willing to transfer ownership of the app to another account, however it never did get completed deleted as the canvas page still exists but it’s in private (AppID 106649). So until now I decided to recreate the app and upgrade to OpenSocial 0.8, boy was this is big waste of time. This App’s ID was 151011.

First, it was denied for these reasons:

1. Application Description

Apps that require third party registration must clearly state so in their app descriptions.
2. Loading Issues.
The Profile Surface fails to load the content and appears blank.

Okay I’ve address #1 already in the app footers, but I just make it bold and clear in the first paragraph just to satisfy them. #2 only appears when they are using all invalid Gamertags or the API is down, which I addressed by making it say a message if and when this occurs. So I resubmit and wait another 48 hours.

Then, the app gets denied again for these reasons:

1. User Experience / Functionality:
Applications must contain unique content on every application surface (i.e., canvas, home and profile pages must each contain unique content and functionality). The following surfaces are not unique: Home, Profile Surfaces

Well I can’t address #1, because in the past it was this way and they didn’t complain, and I have been requested by app users to do this a long time ago. Here are what these surfaces look like from the app screenshots:

Home	Profile

There was only one difference between the two, and that is the Change Gamertags link. This was also to help the user find their way around, and this satisfied a lot of users before.

No, I am not going to bother posting in their forums about it, the MDP (MySpace Development Platform) team doesn’t visit it as much anymore, and most of the app denial clarifications get unanswered. Their IRC channel #myspacedev is also dead too, only about 9 users sit in while about 90 are in the #facebook channel. So thanks but no thanks MySpace, I’ll just delete the app instead which means just more bandwidth for me, not like I was getting paid to do this anyways.

MySpace Sucks

1 Comment

May 16, 2009 at 12:12 AM

I’ve said it many times, MySpace sucks, and you’ve probably seen many articles or posts about this but I am as well going to put in my say.

From a developer’s point of view, their documentation sucks. I’ve written an app before on MySpace, before I decided to pull the plug on it. Today I decided to tinkering around with the old app and probably republish, but yet changed my mind. The documentation just totally sucks for OpenSocial 0.8, there are no examples, the current examples are for OpenSocial 0.7. What I did with the old app that was live was that I spent all over the forums looking for examples, but documentation for OpenSocial 0.7 wasn’t that horrible, but still bad. Facebook’s documentation is even better than MySpace’s. I also find out that development mode (or version) was completely broken cause MySpace wants to do all vanity URLs something like what Twitter does. So now if you make a change to a live app, and want to test it, you can’t.

Now for pretty much any end user’s point of view (yes, that’s you). Obviously from first glance, MySpace is pretty bloated with ads. There are ads everywhere. That’s no problem for me though, since I use AdBlock Plus to hide them all. Of course Myspace is also infested with spam, pointless drama, immaturity, etc.

Anyways, the privacy sucks. What I noticed with Profile 2.0, is that you can hide your age and location. Cool, however it’s still shown on MySpace mobile and in search, totally ruining the point of doing that. Just recently there was a new feature called Status Comments, now people can comment each others status updates. Awesome, however that’s like a rip from Facebook, and it has spam issues, and they can’t be disabled.

Today, they launched MySpaceIM Web for every region, and amazing it’s like a complete copy from Facebook. It’s like MySpace resorting to what Friendster did in the past after they beat them out.

Also, MySpace sometimes has glitches when deleting an account, such as information not completely going away, such as comments, default picture, and display name. Usually it’s suppose to delete all of this. In rare cares, deleting an account may be impossible even after confirming the email, cause it never processes. I wouldn’t recommend it but you might be stuck violating their Terms to get your account deleting, since their Customer Service sucks that bad, sometimes they never respond, and other times you just get excuses (or responses saying the exact thing you already did).

I also noticed they came with a new URL shorting service called lnk.ms, although they can only be generated through status updates. Clearly they are copying Twitter as well, but trying to be their own by creating their own URL shorting service, and also with the lame 140 character limit they decided to copied too.

Of course then you got the Local Reviews crap that no one cares about, like why does this belong on a social networking site. If I wanted to read reviews, I’d use Google or go to a reviews site, not MySpace. Same for going to look for a job, posting an ad or hell even to watch videos.

MySpace is already losing lots of traffic, that’s why they are resorting from copying Twitter and Facebook. Facebook already exceeds MySpace on Alexa, as shown in this picture:

All MySpace is trying to do is surviving, but really failing at it.

Categories

Archives

Twitter

Category: Social Networking

Categories

Archives

Tags

Twitter