Page last updated at 01:59 GMT, Thursday, 1 May 2008 02:59 UK

Identity 'at risk' on Facebook

By Spencer Kelly
Presenter, BBC Click

Facebook logo reflected in an eye
Facebook has millions of users throughout the world

Personal details of Facebook users could potentially be stolen, the BBC technology programme Click has found.

The popular social networking site allows users to add a variety of applications to their profile.

But a malicious program, masquerading as a harmless application, could potentially harvest personal data.

Facebook says users should exercise caution when adding applications. Any programs which violate their terms will be removed, the network said.

Stealing details

Facebook is the darling of the moment, allowing friends to stay in touch, post photos, and share fun little games and quizzes. And it also lets you keep your details private from the rest of the world. Or at least that is the implication.

How the BBC exposed Facebook security flaw

We have discovered a way to steal the personal details of you and all your Facebook friends without you knowing.

We made up the fictitious profile of Bob Smith. He keeps most of his details on his profile private from non-friends.

While we could not get all details, what we did get, included his name, hometown, school, interests and photograph, would certainly help us to steal someone's identity.

Mining data

So how did we do it?

Click's resident coder, Pete
Thousands of applications are available to Facebook users

Using a couple of laptops and our resident coder Pete, we created a special application for Facebookers to add.

One of the reasons Facebook has become so popular so quickly is because of the wealth of applications users can add to their profile pages.

Little games, quizzes, IQ tests, there are thousands of them available. And once you have added an application, your friends are encouraged to add it too.

Anyone with a basic understanding of web programming can write an application.


We wrote an evil data mining application called Miner, which, if we wanted, could masquerade as a game, a test, or a joke of the day. It took us less than three hours.

But whatever it looks like, in the background, it is collecting personal details, and those of the users' friends, and e-mailing them out of Facebook, to our inbox.

When you add an application, unless you say otherwise, it is given access to most of the information in your profile. That includes information you have on your friends even if they think they have tight security settings.

Did you know that you were responsible for other people's security?


Now, many applications do need access to your details, in order to work properly.

We do not know of any specific application which abuses user information, apart from ours.

But the ease with we created our application has many people worried. If it is being used you would not even have to use the application we created to become a victim, you would just have to be a friend of someone who has.

Morally, Facebook has acted naively
Paul Docherty, Technical Director of Portcullis Security

Because these applications run on third-party servers, not run by Facebook - it is difficult for the company to check what is going on, whether anything has changed, and how long applications store data for and what they do with it.

Although Facebook's terms and conditions contain a warning that this could in theory happen, and offer the option to stop an application from accessing your details, many games and quizzes would not work if this option is engaged.

In fact, the only way we can see of completely protecting yourself from applications skimming information about you and your friends is to erase all the applications on your profile and opt to not use any applications in the future.

So has Facebook done enough to protect its users from identity theft?

Paul Docherty is the Technical Director of Portcullis Security, which advises several governments on IT security matters including British government.

He told us he believed that Facebook's terms and conditions stated on the site meant that Facebook had legally covered itself from any liability.

But he added: "Morally, Facebook has acted naively."

He said: "Facebook needs to change its default settings and tighten up security."

He also believes it would be difficult to secure the current system because so many third party applications are now in circulation.

Removal team

We put these concerns to Facebook.

It told us that it has an entire investigations team watching the site, and removing applications that violate its terms of use which would include our Miner application.

It also advises users to use the same precautions while downloading software from Facebook applications that they use when downloading software on their desktop.

Now, all this comes in the month that competitor MySpace opened up its application platform. However, it handles them differently - here all applications run on its own servers so it can see what they are up to.

MySpace also manually checks all submissions and rechecks them if authors wish to change the code. We were unable to create a similar threat to users' security using the MySpace system.

It certainly seems that Facebook's standard security settings are not sufficient to protect your personal information, and those of your friends.

Are you a Facebook user concerned about your personal details? Have you had your data skimmed?

Your comments:

I'm a Facebook user and although I've not been skimmed (I can't even know yet until something flags it) it's really scary to hear that this is possible with the ever number of applications in the site. Everyday I get about 20 requests to join/add different applications onto my profile and this news makes me want to remove all of them. Problem is, if you do remove them, then what are you going to do on Facebook? Give us more security features Facebook.
Ralph Ofuyo, Nairobi, Kenya

The only data an application can "steal" is that which has already been posted to Facebook by the user themselves. Common sense dictates "anything" you put on the internet can be found by just about anyone.
Mark, Dallas, Texas, USA

Perhaps the problem lies not so much with Facebook than with our banking system. If your date of birth and address are enough to get a credit card or a mortgage, no wonder this is being abused. Isn't this yet another sign that we need a better way to prove one's identity? Surely a national identity card would go a long way towards this - other countries don't seem to have these problems.
Bob, Oxford

This is why I lie to Facebook about things like date of birth, setting them to be roughly there but not accurate enough. I tend to do this to any site that insists on having this information but I don't see the need for.
Richard, Leeds, UK

I use Facebook on a daily basis to keep in touch with friends. I've gotten very tight with my security settings but it never occurred to me to worry about the applications that my friends and I have added. Thanks for the heads up!
Kate K, Washington DC, USA

Q&A: Facebook response
01 May 08 |  Click
Personal data privacy 'at risk'
21 Feb 08 |  Business
Learning what makes Facebook tick
21 Apr 08 |  Technology

The BBC is not responsible for the content of external internet sites

Has China's housing bubble burst?
How the world's oldest clove tree defied an empire
Why Royal Ballet principal Sergei Polunin quit

banner watch listen bbc sport Americas Africa Europe Middle East South Asia Asia Pacific