Facebook Application and Content Creation Privacy

Friday, December 04, 2009

Todd Zebert

8d04c13e080ecc73656118e7650fbb4c


While Take Control of your Facebook Security & Privacy Settings (part 1 of this series) provided an overview of Application Privacy, this is a deeper dive and explains how Built-in Apps control some basic functions and default security of Facebook. This is the third in a series, the previous being Facebook Privacy using Friend Lists.

Finding and Setting your Application Settings

1. Hover over Settings (top right of screen)
2. Click Applicaton Settings
3. From the "Show" drop-down (top-right) select "Authorized"

Application settings have to be set for EACH ONE – so it’s better to have fewer than more! For each application, you can "Edit Settings", see its "Profile" (the Facebook page describing the application), or delete it using the "X".

It will take three clicks (“X”, “Remove”, “Okay”) to remove each application, so carefully consider next time you’re offered to add a new application.

Built-in Applications:

 -Events
- Gifts
- Groups
- Links
- Notes (should set “new note” defaults)
- Photos (does NOT seem to set “new album” defaults)
- Video (does NOT seem to set “new album” defaults)

Note: there is NO control for (Fan) Pages!

Most Application Settings have three tabs:

- Profile Tab: Checkboxes if the app should be shown on your personal Wall/Info page as a “Box”, and/or if it should be shown as a “Tab”. There’s also Privacy settings that have been described previously in this series.
- Bookmark Tab: Checkbox. Not important to security/privacy.
- Additional Permissions Tab: Items specific to that Application. Most also have a checkbox for “Publish to streams” which means the application can publish to the “wall of a user or a Facebook Page, group, or event connected to the user.” This is similar to “Publish recent activity (one line stories) to my wall” option. You’ll want to carefully consider what applications you allow to create posts for you. Other applications have options on which events (not a formal Event, but specific activities) that should trigger an email to you.

Controlling Privacy when Creating Content

Creating content in each built-in Application is discussed below:

Events – Creating:

Step 1, Privacy:

- Open: “Anyone can see this Event and its content. Anyone can RSVP or invite others to this Event.”
- Closed: “Anyone can see this Event, but its content is only shown to guests. People will need to be invited or request invitations to RSVP.”
- Secret: “Only people who are invited can see this Event and its content. People will need to be invited to RSVP.”

Step 2, Event Options:

- Options on if there’s a wall, what content can be posted, if only admins can post, and control over invites and visibility.

Note: if you create them from your “What’s on your mind?” via Attach: Event, you don’t have the same privacy control.

Gifts - Giving:

Part 4. Method of Delivery:

- Public: “People will see your gift and message. The gift will go in the recipient's gift box and the wall.”
- Private: “People will see the gift but only the recipient will see your name and message. The gift will go in the recipient's gift box but not the wall.”

(Fan) Pages – Creating:

Outside the scope of this article.

Groups – Creating:

Outside the scope of this article.

Links – Creating:

There’s no way to adjust the Privacy of an individual Link as you create it, nor afterward.

Note: You don’t have to create a Link from your “What’s on your mind?” via Attach: Link. Facebook will automatically recognize the URL and create the Attach:Link. You can click the right-side “X” to delete the Attach:Link and while the URL will remain, this update will be simply a status update.

Notes – Creating:

Note Privacy: set the privacy different from the default if you choose.

Photo – Creating a new Album:

Privacy: set the privacy. The default seems to be “Everyone” – this is not changed by the Photo Application settings.

Photo’s created from the “What’s on your mind?” via Attach: Photo end up in different Albums according to how they were created. “Upload a Photo” places it in “Wall Photos” and privacy can not be set at that time (you may have previously set, and can subsequently set privacy). “Take a photo” places it in “Webcam Photos” (you may have previously set, and can subsequently set privacy). “Create an Album” allows privacy settings as usual.

Photo’s created via a Mobile upload go an album called “Mobile Uploads” (you may have previously set, and can subsequently set privacy).

Warning: Like all Facebook Albums, “Wall Photos”, “Webcam Photos”, and “Mobile Uploads” are all restricted to 100 photos. When this limit is reached, a new album with the SAME name is created and its Privacy is defaulted to Everyone. This will not be obvious unless you check. For Mobile upload photos this can be problematic since you are presumably away from your computer, you may not get to (or forget to) change their Privacy for some time.

Videos – Creating:

Privacy: set the privacy. The default seems to be “Everyone” – this is not changed by the Video Application settings.

Video’s created from the “What’s on your mind?” via Attach:Video default to Everyone.

Warning: Mobile upload videos default to Everyone, and since you are presumably away from your computer, you may not get to (or forget to) change their Privacy for some time.

Possibly Related Articles:
11657
Security Awareness Privacy Webappsec->General
Facebook Privacy
Post Rating I Like this!
Default-avatar
Steve Smith Interesting article,
It prompted me to share a couple of unusual loopholes in the Facebook API which I discovered in the early days of Facebook and believe are still open to this day.

It is possible to build a custom application for facebook to send for eaxample user commands to a friend or any user masquerading as any other user. For example your friend installs this simple custom application and you view their public details. The application can then capture your Id and send a spam message to your friend. It looks like it is coming from you under your session. This is a simple scenario, however the message could be sent to all of your friends friend list or to any friend list that had been collected previously by substituting the Id's, or even friends of friends list The worst part is that Facebook does not catch this as it looks like the message is coming from either you or any id that the application is programmed to substitute and going to some friend. It also leaves opens the possibility of collecting lists of visitors.

I did a quick test and sure enough it worked so I reported the bug to the techies at Facebook and sent them proof, I got a "not really a problem" response, so I left it at that, its not my problem neither.

After looking over the API it is amazing what is possible, everything looks real tight to the user as in this article but a programmer who really understands the API sees a very different weak side.

In light of this, I stopped using Facebook a while back before many of these privacy issues came to light.
1287827840
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.