Skip to main content

Facebook flaw exposes events to strangers

Facebook's new Graph API is publicly exposing user information according to an eagle-eyed blogger.

Ka-Ping Yee (AKA Zestyping) says that he recently discovered something strange while 'playing' with the social notworking site's new Graph API.

"The API was showing a list of my events," says Zestyping, "and it seemed that anyone could get this list. Today, I spent a while checking to make sure I wasn't crazy. I didn't opt in for this. I even tried setting all my Privacy Settings for maximum privacy. But Facebook is still exposing the list of events I've attended, and maybe your events too."

Facebook has long been criticised as a veritable harvesting ground for identity thieves as it is swimming in the kind of personal data beloved of online crooks, as the blogger explains:

"What can your event list say about you? Quite a bit. It might reveal your home address, your friends' home addresses, the names and groups of people you associate with, your hobbies, or your political or religious activities, for example."

According to Facebook, "The new Graph API attempts to drastically simplify the way developers read and write data to Facebook. It presents a simple, consistent view of the Facebook social graph, uniformly representing objects in the graph and the connections between them."

To make requests to the API, the program uses an access token for a Facebook account with no special access. To get this token, users need only to create a new account with no friends and then visited the Facebook API documentation. As examples, the API documentation page provides several links with an access token customised for the current user.

"The program just uses one of these example tokens. Anyone can create an account and visit the documentation page; hence I believe that anyone can make these requests to the API and get these results", reports Yee.

Currently, the only way to prevent your personal information from being exposed is to mark every event on your Facebook page as 'Not Attending'.