Posts Tagged ‘privacy’

Facebook and your privacy, a never ending story

Posted by spaquet on May 10, 2011  |   Comments Off

According to researchers from Symantec, Facebook has leaked access to millions of users’ photographs, profiles and other personal information because of a years-old bug that overrides individual privacy settings.

The flaw, which the researchers estimate has affected hundreds of thousands of applications, exposed user access tokens to advertisers and others. The tokens serve as a spare set of keys that Facebook apps use to perform certain actions on behalf of the user, such as posting messages to a Facebook wall or sending RSVP replies to invitations. For years, many apps that rely on an older form of user authentication turned over these keys to third parties, giving them the ability to access information users specifically designated as off limits.

The Symantec researchers said Facebook has fixed the underlying bug, but they warned that tokens already exposed may still be widely accessible.

While many access tokens expire shortly after they’re issued, Facebook also supplies offline access tokens that remain valid indefinitely. Facebook users can close this potential security hole by changing their passwords, which immediately revokes all previously issued keys.

The flaw resides in an authentication scheme that predates the roll out of a newer standard known as OAUTH. Facebook apps that rely on the legacy system and use certain commonly used code variables will leak access tokens in URLs that are automatically opened by the application host. The credentials can then be leaked to advertisers or other third parties that embed iframe tags on the host’s page.

Facebook over the years has regularly been criticized for compromising the security of its users, which now number more than 500 million. The company has rolled out improvements, such as always-on web encryption, although users still must be savvy enough to turn it on themselves, since the SSL feature isn’t enabled by default.

UP4B offers a wide range of process and network analysis to make sure that your network is protected against what is really important for your business: information leak, network protection (penetration testing,…), network availability and more.

Feel free to contact us for more information on our IT Security services and get your company IT Sec ready.

TomTom gave away personal, but anonymous, data to… the cops!!!

Posted by spaquet on April 28, 2011  |   Comments Off

Navigation device maker TomTom has apologized for supplying driving data collected from customers to police to use in catching speeding motorists.

The data, including historical speed, has been sold to local and regional governments in the Netherlands to help police set speed traps, Dutch newspaper AD reported here, with a Google translation here. As more smartphones offer GPS navigation service, TomTom has been forced to compensate for declining profit by increasing sales in other areas, including the selling of traffic data.

“We never foresaw this kind of use and many of our clients are not happy about it,” Chief Executive Harold Goddijn wrote in an email sent to customers. He went on to say that licensing agreements in the future would “prevent this type of use in the future.”

TomTom has said that any information it shares has been anonymized, but customers shouldn’t take such assurances at face value. Past claims about the anonymity of data sometimes turn out to be horribly wrong – witness the debacles involving AOL’s sharing of 20 million searches and the release of Netflix users’ viewing habits. It’s not hard to fathom a scenario in which data supplied by TomTom could be used to figure out sensitive information about its users, such as where they live and work…

UP4B offers a wide range of process and network analysis to make sure that your network is protected against what is really important for your business: information leak, network protection (penetration testing,…), network availability and more.

Feel free to contact us for more information on our IT Security services and get your company IT Sec ready.