I’m a Facebook fan and strongly believe that it is destined to break all records when it is either bought or is listed. Today however, Facebook took its first real knock with users reporting that they were getting data that was not their own. The team at my office first thought it was a proxy issue but we later discovered that the problems were widespread. Facebook is currently down with an “We’re upgrading” message on their sparse home page. I wish I was a fly on their wall. The tension must be excruciating.
Will the rumored offer of something like $5 billion be something that the owners later look at with broken hearts. Can you imagine the disappointment if similar offers fail to materialize.
Update:
Here is a link to a pdf document detailing an xss attack on Facebook. The document, written by Adrienne Felt, has been censored by the author until the vulnerability has been fixed by Facebook. It appears that the outage today was to correct security holes as identified in the document.
Update:
Facebook is online. I’ve noticed that now after the update if you click on a profile of a member that is not one of your friends, you are redirected to the basic search screen. All profiles, even those marked as public behave in a similar manner.
Update:
Facebook PR has a group that they’ve invited some of the press and bloggers into. Here’s an official statement that was just posted to that group:
This morning, we temporarily took down the Facebook site to fix a bug we identified earlier today. This was not the result of a security breach. Specifically, the bug caused some third party proxy servers to cache otherwise inaccessible content. The result was that an isolated group of users could see some pages that were not intended for them. The site has now been restored and we apologize for any inconvenience this may have caused.”
Update:
Is Facebook still insecure?
July 31, 2007 at 8:13 pm
I had a similar issue with LinkedIn recently. The wrong data - with full access to everything. Scary. Fortunately I am an honest fellow.
Surely at $5B the time is now for Facebooks founders? There is still time to get something else created and away during the 2.0 boon.
Chris from rawstylus.wordpress.com
July 31, 2007 at 8:20 pm
This whole scenario is being seconded by two people on this blog…
http://www.mdibb.co.uk/2007/07/31/did-facebook-get-hacked-today/#comment-193
This is very interesting.
July 31, 2007 at 8:24 pm
I think they have been hacked!!
July 31, 2007 at 8:31 pm
So……..I think I might…….die…..no……have a coffee and …….care……not much……
July 31, 2007 at 8:43 pm
[...] Facebook today? One blogger believes that Facebook was hacked. His argument seems convincing. This blogger believes it might have been proxy issues. You can follow more of the story [...]
July 31, 2007 at 9:10 pm
[...] Suggestions of hacking - http://strennery.wordpress.com/ [...]
July 31, 2007 at 9:45 pm
I think there are many companies that are guilty of not putting security further up their list of priorities - real shame that it has happened to Facebook.
July 31, 2007 at 9:46 pm
it just seems weird that they are having an upgrade at a time when there is bound to be a lot of traffic….its scary now….
nimishgogri.blogspot.com
July 31, 2007 at 10:16 pm
[...] have been contained in the teapot. You are now free to resume normal time-wasting. 1:12PM: As another blogger reports, this was really the first big stumble by FaceBook. Some are theorizing that it was a proxying [...]
August 1, 2007 at 12:13 am
[...] was fixed - certainly the right thing to do. Other allege that Facebook took the site down to fix a security hole that would enable a XSS attack, although that seems unlikely in light of the mail [...]
August 1, 2007 at 12:31 am
[...] was fixed - certainly the right thing to do. Other allege that Facebook took the site down to fix a security hole that would enable a XSS attack, although that seems unlikely in light of the mail [...]
August 1, 2007 at 1:10 am
had the same problem in facebook… what’s the possibility of it being hacked due to the recent legal pursuits by a third-party claiming the idea was stolen from them… (i don’t remember the details).
what someone should come up with is an application linking all such networking sites together… i have trouble catching up on facebook, friendster, hi5, bebo and multiply… let alone maintaining a blog!
August 1, 2007 at 1:25 am
wait a sec.. how’d you make the facebook buttom with profile pic on your blog? great if you can show me.
August 1, 2007 at 1:44 am
[...] fixed - certainly the right thing to do. Others allege that Facebook took the site down to fix a security hole that would enable a XSS attack, although that seems unlikely in light of the mail [...]
August 1, 2007 at 2:01 am
[...] First real stumble by Facebook I’m a Facebook fan and strongly believe that it is destined to break all records when it is either bought or is […] [...]
August 1, 2007 at 3:21 am
“I’ve noticed that now after the update if you click on a profile of a member that is not one of your friends, you are redirected to the basic search screen. All profiles, even those marked as public behave in a similar manner.”
How is this different from before?
August 1, 2007 at 6:58 am
Hi Guest1234
As I recall, when you clicked on the profile on of a member that was not one of your friends, it would display the member’s profile page. When the profile was marked as private, the member’s name would not be clickable.
Since yesterday’s update, all profiles are clickable, but your are now redirected to the search page even if the profile is marked as public.
I notice now thou, that the behavior I noticed last night has been corrected.
August 1, 2007 at 7:11 am
Here is a link to details on how to add a profile badge to your blog:
http://facebook.co.za/2007/07/16/create-a-facebook-profile-badge-for-your-blog/
August 1, 2007 at 10:55 am
[...] to get my mind around what has been causing all this nonsense. I finally stumbled across a good site, which had some more information on this [...]
August 1, 2007 at 1:57 pm
[...] was fixed - certainly the right thing to do. Other allege that Facebook took the site down to fix a security hole that would enable a XSS attack, although that seems unlikely in light of the mail [...]
August 3, 2007 at 5:04 am
[...] was fixed - certainly the right thing to do. Other allege that Facebook took the site down to fix a security hole that would enable a XSS attack, although that seems unlikely in light of the mail [...]
August 3, 2007 at 5:04 am
[...] was fixed - certainly the right thing to do. Other allege that Facebook took the site down to fix a security hole that would enable a XSS attack, although that seems unlikely in light of the mail [...]
August 4, 2007 at 6:07 am
Hi, I’m the author of that white paper you link to. Thanks for the link! However — my work ended up being unrelated to the problem. They actually have not fixed either the XSS hole or the underlying design problems that make the Facebook site insecure. It was temporarily sorta-fixed for two days but the sorta-fix has been taken down; it was just a side-effect of their proxy bug fixing.
August 5, 2007 at 1:46 pm
[...] Still Insecure? On the 31st of July I posted my thoughts on the problems Facebook where having during the course of the day. According the Facebook, the [...]
August 12, 2007 at 11:46 am
[...] Strike Two After the reported problems on the 31st July, Facebook has taken another knock with someone posting the PHP source [...]