For all the credit Facebook has received for its privacy controls and user safety, the site still falls prey to an unsettling number of security issues and potential data breaches. Last month a botched code push accidentally revealed private user email addresses, and before that Facebook accidentally sent private messages to the wrong recipients. Today, security engineer Joey Tyson, AKA theharmonyguy, has detailed a major security hole in Facebook Platform — one that would allow a malicious website to silently access a user’s profile information, photos, and in some cases, messages and wall posts, with no action required on the user’s part.

The exploit, which we’ve confirmed has now been patched, could hijack the session of a previously authorized  third party Facebook application and invisibly pass it off to a malicious app. In his proof-of-concept, Tyson embedded Farmville in an invisible frame on his site. He then used some trickery with Facebook Platform parameters to pass all access rights Farmville had on to a malicious data harvesting application. In short, any of the many millions of people who had previously installed Farmville and visited the apparently benign proof-of-concept site would have their data invisibly harvested. If the user had granted Farmville additional permissions to access their Wall or messages, then the malicious app would have them too. Tyson only used Farmville in this instance because of its massive install base, but he could have used any other third party app.

Fortunately, Tyson doesn’t have reason to believe this exploit has been abused, stating “It’s unlikely that any real-world attacks used this particular vulnerability, and I certainly have no record of such a case.” But he also notes that it may have existed for a year or longer.

Further, Tyson thinks that Facebook still has problems with the way Platform is set up that expose it to vulnerabilities like this:

I commend Facebook for responding quickly to this issue and for being open to white-hat security reports. But in my opinion, this vulnerability is simply the latest reminder that the Facebook Platform can open users to many problems quite separate from the security of Facebook itself. I personally think that aspects of the Platform’s implementation fail to match user expectations of privacy, as I’ve discussed previously. And while this particular problem may be solved, vulnerabilities in specific applications and the nature of application access continue to put private data at risk of unwanted disclosure.

For more technical details on how the exploit worked, check out Tyson’s post. Tyson has written quite a few other articles detailing flaws with Facebook security, including his Month of Facebook Bugs (he notes that some of these have since been fixed).

• This Used To Be My Playground
• Scamville: The Social Gaming Ecosystem Of Hell

A quick glance at that render we'd obtained of the rumored MOTOSPLIT had us thinking we were seeing a large, Sholes-style phone with a musclebound OMAP3 core, but hold up -- maybe this is a lower-end (and stranger) phone than we'd originally thought. Android Community has gotten tipped with additional details and another supposed render of the handset, and the most notable tidbit here seems to be that the phone is said to use dynamic key labels (a la Samsung Alias 2) to let the user pull out a single side as a numeric keypad or both sides (hence the "SPLIT" in the name) for full QWERTY action. In the QWERTY configuration, there's apparently a kickstand around back that would help you set the phone on a desk and type with all the ease of the world's smallest netbook cocked at an awkward 45-degree angle.

The wisdom and usability of this kind of setup remains a huge question mark, but the bigger question mark might be inside the phone itself: we're hearing here that the MOTOSPLIT would use the same core as the Backflip, an old-school Qualcomm MSM7201A. Frankly that seems unlikely at best -- virtually every Qualcomm-powered midrange smartphone to be introduced in 2010 from here on out will be using an MSM7227 or 7627 (including Moto's own Devour), so we're going to cautiously assume this particular piece of the intel is incorrect. Please let it be incorrect, Motorola, we beg of you.

Motorola MOTOSPLIT to have dynamic key labels, lame processor? originally appeared on Engadget on Sat, 06 Feb 2010 20:36:00 EST. Please see our terms for use of feeds.

Permalink SlashGear  |  Android Community  | Email this | Comments

• YC-Funded Nowmov: Sit Back, Relax, And Watch An Endless Stream Of…
• Wiggio Raises $2.1 Million, Prepares For Mobile Launch And Profits…

Could IBM be prepping more of its own location-aware technology and devices? According to a recent patent filing, it looks like it. On Thursday, Big Blue filed for a patent for a “method and system for location-aware authorization.” The inventors appear to be IBM engineers based in Rome, Italy.

According to the filing, the technology would provide a method and technology to control access to a device based on the location of that device. IBM gave the example of a company that only wanted employees to use a particular device in the office or their home and believe that their technology would allow the employer to control where the particular device can be accessed.

Here’s an excerpt from the filing:

The invention provides a method and system for location-aware authorization such as for electronic devices (e.g., mobile electronic devices). One embodiment involves authorizing access to a standalone system such as a mobile device, by collecting user credentials on the device for authentication, obtaining location information (e.g., geographical position) for the device from a locating module such as a satellite navigation module attached to the device, accessing profile authorization information for authenticating the user based on the user credentials and device location information (localization), authorizing access to the device by the user if the profiled authorization settings match the credentials and the position of the device.

Talk about GPS-lockdown.  In an age of mobile workers and telecommuters, such a product might be more of a hindrance than a help for most organizations.  But I could see putting something like that on servers or machines with super-sensitive data that are not supposed to leave the premises.  The big question looms: what will Big Blue, which reported strong earnings for 2009 this past week, do with this technology?

Thanks for the tip Anand S.

• Google Shipping All I/O Attendees A Free Droid Or Nexus One Before The…
• YC-Funded Nowmov: Sit Back, Relax, And Watch An Endless Stream Of…

It’s about 9:45 am Paris time here at the sixth annual Le Web conference. Kicking things off is Twitter creator Jack Dorsey, who just launched his new startup, a mobile payment platform and service called Square, talking with Le Web’s Loic Le Meur. There are 2,300 registered attendees at the event, the most ever, and it looks like most of them have jammed themselves into the main floor to see Dorsey talk.

The audience is eating this up. A large screen next to the stage is showing real time tweets related to the talk, and a new one is popping up every second or faster.

Dorsey is kicking things off talking about his initial vision for Twitter (our first post). “I knew the concept was huge,” he said on stage. “The hardest part of any idea is getting started.”

Dorsey says he’s been surprised by the velocity of growth, and the ways that users have changed it – retweets, @mentions, hashtags, etc., were all invented by users.

Jack’s now giving the audience one of the first live demo’s of his new startup, Square (see here for a video of our demo). Square lets users make payments over a mobile phone, starting with the iPhone. The hardware will be given away for free, he says.

Funny enough, the demo isn’t working properly, although Loic says it worked perfectly back stage. Dorsey switched from wifi to Orange’s mobile network and the payment went right through.

Dorsey is highlighting the social aspects of the service. A picture of the payer pops up if they’re a registered user, adding security to the transaction.

The service is in limited beta, says Dorsey. And a number of retailers around the U.S. are accepting payments via Square.

Dorsey says the service will go live for all next year, hopefully by March. He also responded to a question I asked about Apple’s explorations into this space – they will become a direct competitor. Dorsey says they’re focused on the user experience, getting people in without contracts, merchant accounts, etc. Apple is doing things differently.

Crunch Network: CrunchGear drool over the sexiest new gadgets and hardware.

• TwitCause Is Yes, A Causes For Twitter
• Next Week: U.S. Senate Committee Hearing On Aggressive Internet Sales…