VISITOR COUNT

FACEBOOK BUG EXPOSES 7 MILLION USER PHOTOS



Three months after the incident happened, Facebook announced on December 14, 2018 that an internal bug in its Photos API system exposed the photos of 6.8 million Facebook users to  875 third party websites using over 1500 apps. 


They said the breach happened between September 13, 2018 and September 25, 2018 and was not limited to photos posted at PUBLIC setting as the Photos API system was intended. 


The breach allowed them to see any photos that you uploaded but never posted.  If you upload a picture but don’t follow through with posting, it’s automatically saved as a draft (unless you delete it). 



So this breach pertains to ALL photos, even those you have set to ONLY ME or DRAFT.    We suspect that very soon you can expect to see some of your personal photos show up on a Google search or used on blogs and websites.



Facebook posted their notice to make its users aware that this incident happened. They said they would notify each affected user in the coming week. But as of today, they did not post what you can do about it.  


We will -  at the end of this post.




 *********************************


We have warned readers about social media buttons before, but it bears mentioning again since this is exactly how Facebook said the breach occurred.  We also think if you knew the volume of information and the vulnerability you are opening yourself up to when you use social media buttons, then maybe you won't use them as much, if at all.


We want you to see how you are jeopardizing your Facebook account and what you can do about it.



WHAT IS A THIRD PARTY APP OR WEBSITE?

A third party app or website is one that is accessed when a user uses their Facebook login and password to access a website. This is usually done by using any of the social media CONNECT buttons. 

They make it sooo easy!

As you can see, Facebook isn't the only social media with
a CONNECT button, but it is the most popular. 



Many Facebook users will use social media CONNECT buttons to try out a site before they make an account for the site.  When they see they didn't like the site, they forget to dis-Connect themselves.  You can read how to do that at the end of this post.




Using this button allows your Facebook login and password 
to be your login for their website.
   



When you use any of the social media CONNECT buttons to login to a website, the main reasons you are doing it are because it's easy and because you don't want to make a new account or have to remember a separate login and password.    




 CONTINUE WITH FACEBOOK, CONNECT WITH FACEBOOK, 
or CONNECT USING FACEBOOK.  The Next screen on their site
 is what you should READ before clicking OK or AGREE.





 *********************************



If you have never accessed a website /or your online games using a social media button like the CONNECT WITH FACEBOOK button OR if you have always accessed websites using a separate screen name and password that you yourself created, then this breach does not affect you.   



But if you have used social media buttons like the CONNECT WITH FACEBOOK button to login to your games and other websites, then this breach most definitely affects you.





 *********************************



Click on this picture so you can see the small print on this login screen.  


Just LOOK at all the info that your agreement is
giving them access to!   

NOTE: The requests shown in our examples are not representative of ALL sites. Each site will ask for access to different information.




When confronted with this type of heavy permission screen, most users click through it without reading any of it because they want to get onto the website as fast as possible.




Others stop reading when they see the bold print where it says 'access my basic information.'  They think 'basic' means 'name, profile picture and friends list.'  It's so much more than that.



Some users are frustrated feeling it is a waste of time to question the permission screen because if a user wants to get on their site bad enough, they will agree to anything on that screen.  



 *********************************



Look at the text under 'access my basic information' so you can see exactly what they are 'requesting.'  


They want to access:
- your name, 
- profile picture, 
- gender, 
- any networks you are on, 
- your user ID, 
- your friends list, and 
- any information you ever shared with anyone.  


That about covers your whole Facebook account!  


And you haven't even seen inside their site yet!


If you are confronted with a screen like this one, you should seriously reconsider if you want to give away all of that info to a website who is essentially a stranger to you.





Look at the next section 'post to my wall.'  By agreeing, you are allowing them to post status, messages, notes, photos and videos to your wall.  




Really?  You would allow a site to basically take over your account to post 'as you?'   



If you use CONNECT buttons, you are required to give access to certain amounts of your personal info.  So why did you go to all the trouble to tighten up your Facebook security and lock down your Facebook account and friends list?   



We hope this is starting to 'click' for some of you.


FACEBOOK TO TWITTER
Take a look at this Facebook to Twitter authorization to see what this application will be able to do, but especially read the text where I put the red arrows and boxed off the bottom.  




They are going to 'post tweets for you


and 

update your profile 'for you' 

and 


see who you follow 


and 


follow new people 'for you.'



They are basically asking to 'become you' and act on your behalf. 


Let's say you live in a small town.

Let's say they post a tweet 'for you' that goes against your views.  

Even better - let's say they clicked LIKE on and responded arbitrarily to one of President Trump's tweets.  


Now let's say they did this at 3AM when you were asleep in bed.   



You go to work the next morning without checking your Twitter account. You don't have access to the news and are unaware of the tweet until the following evening when you get home from work. Pulling into your driveway, you are greeted by several news stations who are waiting outside your front door telling you that your reply to President Trump's tweet is the talk of your little town!   

It is true we went to an extreme in the above example, but we did it to make a point.  If you don't want someone putting your name on a post or tweet, don't give them permission to do so.







Your reputation is at risk here. 



Just as you wouldn't trust a 5 year old to drive your car, you should never trust a website to 'post on your behalf.' 




As a consolation, the permission says they will not be able to access your messages or see your Twitter password. To us admins, that is a very small consolation when they can do so much more damage to your reputation when they post "as you."



TEN IMPORTANT FACTS

FACT 1: By using the CONNECT button, the user's Facebook login credentials are shared with and used to access that website.  





FACT 2: By using the CONNECT button, the user does not have to create a separate account and password to use their site.  





FACT 3: By using the CONNECT button, users only have to remember their one Facebook login and password.





FACT 4: Using any CONNECT social media buttons is a lazy person's login.  If you use your Facebook login to access a number of websites, it only takes one breach of ANY website that you used CONNECT WITH FACEBOOK button, for the bad guys to get into your Facebook account.  





FACT 5: If you agree to these kinds of 'requests' you can kiss off your Facebook account in the very near future because hackers don't always hack a password to take over a Facebook account.  Sometimes they look for a glitch to gain access.  Anyone who has allowed their Facebook to be used to access other websites is creating a hole that will be giving away the one thing you should be protecting at all costs  --  your Facebook credentials.

  



 FACT 6: Most hackers do not need your actual Facebook password to hack your Facebook account. They can access your account after a glitch or breach.





FACT 7: A hacker isn't always looking for financial information when he hacks your Facebook account. Sometimes he wants your friends list. Sometimes he wants your game level. Sometimes he wants your access to groups and other websites that you use your Facebook account to access.  If you lose your Facebook account to a hacker, all those sites you accessed using CONNECT buttons are now available to the hacker.





FACT 8: Your Facebook account has to be active in order for social media CONNECT buttons to work on other websites.  




FACT 9: If you deactivate your Facebook account, you cannot use the CONNECT buttons because you don't have an active Facebook account anymore.  To access the websites you will have to make a new account for each website . . .  so why not do that anyway and keep your Facebook account safe?






FACT 10:  If you lose your Facebook account because the Facebook gods took your account away from you for any reason, you will not be able to access any of the sites that you formerly used social media CONNECT buttons because you don't have an active Facebook account anymore.    




CONCLUSION


Third party websites dictate what part of your account they need access to.  Users can either agree to permission requests and use their site, or disagree and cancel out of the screen. Since they want to use the website, most users will agree to almost any permission requests.



We want you to seriously reconsider giving permissions to a site that doesn't need the amount of access they are asking for.




If a site says they are going to post something "for you" or "as you" - get off that site.  The only person who should be posting "for you" or "as you" is YOU.




One reader told us he uses CONNECT USING FACEBOOK button to access his local home improvement store - for two reasons:  1) they offered the CONNECT button and 2) it's easy.  By connecting this way, he is giving the store permission to view his Facebook activity.  But more importantly, he is allowing the store to use his name (as a customer) in their ads and on their  Facebook Page posts and to post stuff in his newsfeed like upcoming sales and grand openings of new stores.  Because he also gave access to his friends list, his friends will be inundated with seeing his name on their posts and ads.  You see enough ads on Facebook. There's no reason to add to the clutter.  But there is also no reason for a home improvement store to be privy to your Facebook activity. 



CONNECT USING FACEBOOK to your Pinterest account is also dangerous because if you are ever locked out of your Facebook account or lose it to the Facebook gods, and if you can't talk Pinterest into over-riding your Facebook login, then you might have to make a new Pinterest account and start over from scratch.  


DIRECTIONS
The users who were affected by this breach will be shown a notice (similar to this one) with instructions on which websites have your information and how you can go about restricting their access to it.


The notification that users can expect to see from Facebook 



Of course Facebook said they were sorry. And of course, that makes it all better now, doesn't it. (sarcasm implied).




Here is how you can see who you gave access to your Facebook account using a CONNECT WITH FACEBOOK button.



Go to 3 vertical dots (or gear) at top right of your Chrome browser and select SETTINGS (if you use another browser, it will be in a different place).




Now go to APPS AND WEBSITES on the left.




The screen will show you the apps and websites you've used your Facebook credentials to log into and have recently used. At any time, they can access the info that you agreed to share with them.





Figure out which ones you want to get rid of. Then remove each one right from that screen by checking the box next to each item and then select REMOVE at top right. 



Your Facebook games will probably be the only ones you will want to keep active. But all websites that you used your Facebook credentials to login do not need and should not have total access to your account.  Click on VIEW AND EDIT to see exactly what each one is seeing.



TIP:  You can go to your Pinterest account, click CONNECT WITH FACEBOOK, then go to SETTINGS. You can add an email account and select it as your method of login. This is so you don't lose your Pinterest stuff if you ever lose your Facebook account.  After you add an email address, go back and remove Pinterest from the apps on the above screen. 



Source:
https://developers.facebook.com/blog/post/2018/12/14/notifying-our-developer-ecosystem-about-a-photo-api-bug/ Share this post with your Facebook friends so they can enjoy our websites too. Thanks!



Click to share 
to your Facebook
Facebook

No comments:

SHARE OPTIONS