Facebook a privacy problem? Never would have guessed.
July 10, 2008 7:47 PM Subscribe
Someone has accessed a friend's Facebook account more than once, despite the fact that my friend changes passwords on a regular basis. How?
My friend logs out of Facebook after each session, and surfs on an unsecured wireless connection. I'm told no one else has had access to the computer.
What are the possible ways this is happening? What should be done to prevent it?
My friend logs out of Facebook after each session, and surfs on an unsecured wireless connection. I'm told no one else has had access to the computer.
What are the possible ways this is happening? What should be done to prevent it?
Response by poster: Wall posts attributed to the account are being made, which my friend did not make. The most recent one occurred while he was logged in.
posted by Slam I Am at 8:02 PM on July 10, 2008
posted by Slam I Am at 8:02 PM on July 10, 2008
Could be his machine is compromised (trojan/virus). Also some of the facebook tools reveal passwords to the tool provider.
posted by Mitheral at 8:07 PM on July 10, 2008
posted by Mitheral at 8:07 PM on July 10, 2008
Somebody might have access to her email account so that they can see what her new password is. Has she changed her password for her email?
posted by lilkeith07 at 8:08 PM on July 10, 2008 [1 favorite]
posted by lilkeith07 at 8:08 PM on July 10, 2008 [1 favorite]
In my experience, Facebook won't let you be logged in from two locations simultaneously.
posted by PueExMachina at 8:08 PM on July 10, 2008
posted by PueExMachina at 8:08 PM on July 10, 2008
There might be a keylogger on the machine they are using...
posted by bkeene12 at 8:11 PM on July 10, 2008
posted by bkeene12 at 8:11 PM on July 10, 2008
Yes, have him change his e-mail password.
An alternative -- is it possible someone created an account mimicking his? Click on the 'offending' wall post username and see if you can edit the profile, to determine whether it's 'actually' him or a copycat account.
Also some of the facebook tools reveal passwords to the tool provider.
Do you mean the plugins/applications? I don't buy that if that's the case, to be honest -- they should be stored securely (using a one-way hash, e.g. MD5) by Facebook and not visible to anyone else.
posted by fogster at 8:13 PM on July 10, 2008
An alternative -- is it possible someone created an account mimicking his? Click on the 'offending' wall post username and see if you can edit the profile, to determine whether it's 'actually' him or a copycat account.
Also some of the facebook tools reveal passwords to the tool provider.
Do you mean the plugins/applications? I don't buy that if that's the case, to be honest -- they should be stored securely (using a one-way hash, e.g. MD5) by Facebook and not visible to anyone else.
posted by fogster at 8:13 PM on July 10, 2008
Seconding the email password change and checking for keyloggers.
While your friend is at it, he should change ALL his passwords... after checking for keyloggers, trojans, viruses, etc.
posted by matty at 8:16 PM on July 10, 2008
While your friend is at it, he should change ALL his passwords... after checking for keyloggers, trojans, viruses, etc.
posted by matty at 8:16 PM on July 10, 2008
In my experience, Facebook won't let you be logged in from two locations simultaneously.
I can be logged in to facebook on my desktop in the bedroom and my laptop in the living room at the same time (much to my delight), so don't count on that being true.
posted by vytae at 8:38 PM on July 10, 2008
I can be logged in to facebook on my desktop in the bedroom and my laptop in the living room at the same time (much to my delight), so don't count on that being true.
posted by vytae at 8:38 PM on July 10, 2008
"and surfs on an unsecured wireless connection"
I'm assuming that the 'unsecured' part of this is not clear... This means that everything your friend submits from his/her laptop to the internet can be viewed by any 12 year-old within wireless range that spends 10 minutes finding the right software. Think of an unsecured wireless connection as no different from yelling at the top of your lungs to your wireless router. If every time your friend signed in to facebook he yelled out "my email for facebook is 'email@mydomain.com' and my password is 'somepassword'" would you wonder how someone has access to his account?
Tell your friend to secure his wireless account with WPA. and then change ALL of his passwords that he used with the unsecured wireless connections.
posted by ghostmanonsecond at 8:38 PM on July 10, 2008
I'm assuming that the 'unsecured' part of this is not clear... This means that everything your friend submits from his/her laptop to the internet can be viewed by any 12 year-old within wireless range that spends 10 minutes finding the right software. Think of an unsecured wireless connection as no different from yelling at the top of your lungs to your wireless router. If every time your friend signed in to facebook he yelled out "my email for facebook is 'email@mydomain.com' and my password is 'somepassword'" would you wonder how someone has access to his account?
Tell your friend to secure his wireless account with WPA. and then change ALL of his passwords that he used with the unsecured wireless connections.
posted by ghostmanonsecond at 8:38 PM on July 10, 2008
surfs on an unsecured wireless connection
Also, could it be that a neighbor or fellow coffee-shop user or someone is watching through this unsecured connection, wherever it is? I'd recommend changing the passwords while hooked to a secured, preferably wired, network somewhere.
posted by vytae at 8:39 PM on July 10, 2008
Also, could it be that a neighbor or fellow coffee-shop user or someone is watching through this unsecured connection, wherever it is? I'd recommend changing the passwords while hooked to a secured, preferably wired, network somewhere.
posted by vytae at 8:39 PM on July 10, 2008
Wall posts attributed to the account are being made
Are they really Wall posts, or are they part of an application (e.g. FunWall or something like that)?
Several Facebook applications have a vulnerability where anyone can basically create new "posts" or "gifts" or whatever, and attribute them to a different user. There was an article about this in 2600 around 6 months ago or so, but I can't look it up at the moment.
posted by kidbritish at 9:04 PM on July 10, 2008
Are they really Wall posts, or are they part of an application (e.g. FunWall or something like that)?
Several Facebook applications have a vulnerability where anyone can basically create new "posts" or "gifts" or whatever, and attribute them to a different user. There was an article about this in 2600 around 6 months ago or so, but I can't look it up at the moment.
posted by kidbritish at 9:04 PM on July 10, 2008
Is your friend logging in via the non-SSL location (http://www.facebook.com)? In addition to the things mentioned above, try using https://www.facebook.com instead (note the extra 's' in 'https').
posted by homer2k1 at 10:21 PM on July 10, 2008
posted by homer2k1 at 10:21 PM on July 10, 2008
I can be logged in to facebook on my desktop in the bedroom and my laptop in the living room at the same time (much to my delight), so don't count on that being true.
Facebook will see both of your machines as coming from one IP address, so you aren't really using it from two locations simultaneously.
posted by cmonkey at 3:31 AM on July 11, 2008
Facebook will see both of your machines as coming from one IP address, so you aren't really using it from two locations simultaneously.
posted by cmonkey at 3:31 AM on July 11, 2008
2nd'ing odinsdream. If the pc is compromised, changing passwords it a wasted effort. I would nuke from orbit, just to be sure, and do a clean install.
posted by nomisxid at 8:36 AM on July 11, 2008
posted by nomisxid at 8:36 AM on July 11, 2008
Facebook will see both of your machines as coming from one IP address, so you aren't really using it from two locations simultaneously.
I can be logged in at my home computer and also logged in at a computer at uni several suburbs away that uses a completely different IP range, so it's definitely possible to log in from multiple locations. (I can simultaneously check facebook from my mobile phone as well).
I would look into kidbritish's suggestions, there are some crap applications out there.
posted by jacalata at 5:02 AM on July 12, 2008
I can be logged in at my home computer and also logged in at a computer at uni several suburbs away that uses a completely different IP range, so it's definitely possible to log in from multiple locations. (I can simultaneously check facebook from my mobile phone as well).
I would look into kidbritish's suggestions, there are some crap applications out there.
posted by jacalata at 5:02 AM on July 12, 2008
I'm assuming that the 'unsecured' part of this is not clear... This means that everything your friend submits from his/her laptop to the internet can be viewed by any 12 year-old within wireless range that spends 10 minutes finding the right software.
Not 'everything', just things which are not encrypted using SSL or other encryption methods.
posted by delmoi at 6:54 PM on July 12, 2008
Not 'everything', just things which are not encrypted using SSL or other encryption methods.
posted by delmoi at 6:54 PM on July 12, 2008
This thread is closed to new comments.
Also, how do you know the account is being accessed?
posted by EndsOfInvention at 7:55 PM on July 10, 2008