Mainly because of its popularity in the Internet, this article is the highlight of this book (it's the first bullet in the book's back cover). But even so, it's a great read (40 pages!) that shows readers step-by-step the reasoning behind the development of FQL, FBML, & FBJS, which was mainly to control the execution of external applications within the Facebook platform. It goes into great lengths describing how its architecture was molded to provide the data integrity that users expect. Yet, it has received a lot of criticism regarding their general approach to the use of people's info over the years.
Although the platform's API, FQL, FBML, &FBJS allows Facebook to restrict the usage of user data by third-party apps, the inverse doesn't seem to apply as demonstrated by their launching of Beacon in late 2007. Facebook can obtain user activity from external applications and post them in news feed. Users can deny confirmations for publishing information provided by Beacon, but there's "no option to prevent Facebook from storing and using information sent by Beacon". If they do decide to give users this option, it should be a fairly straightforward implementation; all they would need are the $user and $app_id parameters from the user. Considering that numerous security holes that have been discovered, users have a right to prevent Facebook from storing such info.
Here are some examples taken from http://en.wikipedia.org/wiki/Criticism_of_Facebook:
"On February 24, 2006, a pair of users exploited a cross-site scripting (XSS) hole on the profile page and created a fast-spreading worm, loading a custom CSS file on infected profiles that made them look like MySpace profiles."
"On April 19, 2006, a user was able to embed an iframe into his profile and load a custom off-site page featuring a streaming video and a flash game from Drawball."
" In July 2007, Adrienne Felt, an undergraduate student at the University of Virginia, discovered a cross-site scripting (XSS) hole in the Facebook Platform that could inject JavaScript into profiles, which was used to import custom CSS and demonstrate how the platform could be used to violate privacy rules or create a worm."
" On March 26, 2006, a user was able to embed JavaScript in the "Hometown" field of his profile which imported his custom CSS."
Notice how most of these occurred between 2-3.5 years ago so I think we can safely assume that Facebook has corrected most these. Nevertheless, Facebook needs to think beyond its own architecture for preventing other apps from compromising user data and be humble enough to realize that they can also, indirectly, be the source for data misusage. FBML & FBJS are great solutions that give them the flexibility to patch security holes in other parts of the platform while giving external apps the ability to run dynamic content. But we all know that no system is ever 100% secure.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment