Join 3,432 readers in helping fund MetaFilter (Hide)


Facebook a privacy problem? Never would have guessed.
July 10, 2008 7:47 PM   Subscribe

Someone has accessed a friend's Facebook account more than once, despite the fact that my friend changes passwords on a regular basis. How?

My friend logs out of Facebook after each session, and surfs on an unsecured wireless connection. I'm told no one else has had access to the computer.

What are the possible ways this is happening? What should be done to prevent it?
posted by Slam I Am to Computers & Internet (18 answers total) 1 user marked this as a favorite
 
How secure are the passwords that your friend is using? For example, "flower" is very unsecure (it's short, is an existing word, and only uses lowercase letters), whereas 797HDb987adsasd98klak201309 would be extremely secure (since it uses upper and lower case letters, and numbers, and isn't an existing word).

Also, how do you know the account is being accessed?
posted by EndsOfInvention at 7:55 PM on July 10, 2008


Wall posts attributed to the account are being made, which my friend did not make. The most recent one occurred while he was logged in.
posted by Slam I Am at 8:02 PM on July 10, 2008


Could be his machine is compromised (trojan/virus). Also some of the facebook tools reveal passwords to the tool provider.
posted by Mitheral at 8:07 PM on July 10, 2008


Somebody might have access to her email account so that they can see what her new password is. Has she changed her password for her email?
posted by lilkeith07 at 8:08 PM on July 10, 2008 [1 favorite]


In my experience, Facebook won't let you be logged in from two locations simultaneously.
posted by PueExMachina at 8:08 PM on July 10, 2008


There might be a keylogger on the machine they are using...
posted by bkeene12 at 8:11 PM on July 10, 2008


Yes, have him change his e-mail password.

An alternative -- is it possible someone created an account mimicking his? Click on the 'offending' wall post username and see if you can edit the profile, to determine whether it's 'actually' him or a copycat account.

Also some of the facebook tools reveal passwords to the tool provider.

Do you mean the plugins/applications? I don't buy that if that's the case, to be honest -- they should be stored securely (using a one-way hash, e.g. MD5) by Facebook and not visible to anyone else.
posted by fogster at 8:13 PM on July 10, 2008


Seconding the email password change and checking for keyloggers.

While your friend is at it, he should change ALL his passwords... after checking for keyloggers, trojans, viruses, etc.
posted by matty at 8:16 PM on July 10, 2008


In my experience, Facebook won't let you be logged in from two locations simultaneously.

I can be logged in to facebook on my desktop in the bedroom and my laptop in the living room at the same time (much to my delight), so don't count on that being true.
posted by vytae at 8:38 PM on July 10, 2008


"and surfs on an unsecured wireless connection"

I'm assuming that the 'unsecured' part of this is not clear... This means that everything your friend submits from his/her laptop to the internet can be viewed by any 12 year-old within wireless range that spends 10 minutes finding the right software. Think of an unsecured wireless connection as no different from yelling at the top of your lungs to your wireless router. If every time your friend signed in to facebook he yelled out "my email for facebook is 'email@mydomain.com' and my password is 'somepassword'" would you wonder how someone has access to his account?

Tell your friend to secure his wireless account with WPA. and then change ALL of his passwords that he used with the unsecured wireless connections.
posted by ghostmanonsecond at 8:38 PM on July 10, 2008


surfs on an unsecured wireless connection

Also, could it be that a neighbor or fellow coffee-shop user or someone is watching through this unsecured connection, wherever it is? I'd recommend changing the passwords while hooked to a secured, preferably wired, network somewhere.
posted by vytae at 8:39 PM on July 10, 2008


Wall posts attributed to the account are being made

Are they really Wall posts, or are they part of an application (e.g. FunWall or something like that)?

Several Facebook applications have a vulnerability where anyone can basically create new "posts" or "gifts" or whatever, and attribute them to a different user. There was an article about this in 2600 around 6 months ago or so, but I can't look it up at the moment.
posted by kidbritish at 9:04 PM on July 10, 2008


Is your friend logging in via the non-SSL location (http://www.facebook.com)? In addition to the things mentioned above, try using https://www.facebook.com instead (note the extra 's' in 'https').
posted by homer2k1 at 10:21 PM on July 10, 2008


I can be logged in to facebook on my desktop in the bedroom and my laptop in the living room at the same time (much to my delight), so don't count on that being true.

Facebook will see both of your machines as coming from one IP address, so you aren't really using it from two locations simultaneously.
posted by cmonkey at 3:31 AM on July 11, 2008


Just to be on the safe side, your friend should not change his passwords using the computer they normally use. Change all passwords, but change them from another unrelated computer.
posted by odinsdream at 7:09 AM on July 11, 2008


2nd'ing odinsdream. If the pc is compromised, changing passwords it a wasted effort. I would nuke from orbit, just to be sure, and do a clean install.
posted by nomisxid at 8:36 AM on July 11, 2008


Facebook will see both of your machines as coming from one IP address, so you aren't really using it from two locations simultaneously.

I can be logged in at my home computer and also logged in at a computer at uni several suburbs away that uses a completely different IP range, so it's definitely possible to log in from multiple locations. (I can simultaneously check facebook from my mobile phone as well).

I would look into kidbritish's suggestions, there are some crap applications out there.
posted by jacalata at 5:02 AM on July 12, 2008


I'm assuming that the 'unsecured' part of this is not clear... This means that everything your friend submits from his/her laptop to the internet can be viewed by any 12 year-old within wireless range that spends 10 minutes finding the right software.

Not 'everything', just things which are not encrypted using SSL or other encryption methods.
posted by delmoi at 6:54 PM on July 12, 2008


« Older How do you all manage the info...   |  I can ejaculate, but not orgas... Newer »
This thread is closed to new comments.