I've Been Mugged Blog

Sadly, yet another reason to distrust Facebook. Last week, ZDNet reported about a Facebook error page that contains a data security hole. If a user enters faulty username and password information, the error page that Facebook serves it was crafted in a way that it reveals sensitive personal data: your email address and profile photo.

You can easily recreate this yourself. Just enter your email address and change one or two characters. The error page will guess that it is still you and then only ask for your password. Great! Facebook just made hacking easier for identity criminals.

This error page snafu happens regardless of your security settings. Persistent criminals can harvest email addresses and photos this way. If there is one thing I have learned while writing this blog, it is that identity criminals are creative and persistent. They will look for security holes to exploit in websites and in software. The folks at Facebook just gave them one.

Snafus like this give me the impression that folks at Facebook are incompetent both technically and with the user interface. There are hundreds websites with better error messages. Basically, in an attempt to make things easier, the folks at Facebook created a security problem.

And if Facebook is this lax with the sign-in error page, what is happening that I cannot immediately see with its apps and social plugins? It also makes me wnder if Facebook is serious about protecting members' privacy, or if this latest error page snafu is the real Facebook showing itself again.

I call this error page: one-half step forward and five steps backwards. What do you think?