Comments on: Facebook a privacy problem? Never would have guessed.

Question: Facebook a privacy problem? Never would have guessed.

Slam I Am — Thu, 10 Jul 2008 19:47:24 -0800

Someone has accessed a friend's Facebook account more than once, despite the fact that my friend changes passwords on a regular basis. How?

My friend logs out of Facebook after each session, and surfs on an unsecured wireless connection. I'm told no one else has had access to the computer.

What are the possible ways this is happening? What should be done to prevent it?

By: EndsOfInvention

EndsOfInvention — Thu, 10 Jul 2008 19:55:36 -0800

How secure are the passwords that your friend is using? For example, "flower" is very unsecure (it's short, is an existing word, and only uses lowercase letters), whereas 797HDb987adsasd98klak201309 would be extremely secure (since it uses upper and lower case letters, and numbers, and isn't an existing word).

Also, how do you know the account is being accessed?

By: Slam I Am

Slam I Am — Thu, 10 Jul 2008 20:02:12 -0800

Wall posts attributed to the account are being made, which my friend did not make. The most recent one occurred while he was logged in.

By: Mitheral

Mitheral — Thu, 10 Jul 2008 20:07:55 -0800

Could be his machine is compromised (trojan/virus). Also some of the facebook tools reveal passwords to the tool provider.

By: lilkeith07

lilkeith07 — Thu, 10 Jul 2008 20:08:10 -0800

Somebody might have access to her email account so that they can see what her new password is. Has she changed her password for her email?

By: PueExMachina

PueExMachina — Thu, 10 Jul 2008 20:08:38 -0800

In my experience, Facebook won't let you be logged in from two locations simultaneously.

By: bkeene12

bkeene12 — Thu, 10 Jul 2008 20:11:24 -0800

There might be a keylogger on the machine they are using...

By: fogster

fogster — Thu, 10 Jul 2008 20:13:23 -0800

Yes, have him change his e-mail password.

An alternative -- is it possible someone created an account mimicking his? Click on the 'offending' wall post username and see if you can edit the profile, to determine whether it's 'actually' him or a copycat account.

Also some of the facebook tools reveal passwords to the tool provider.

Do you mean the plugins/applications? I don't buy that if that's the case, to be honest -- they should be stored securely (using a one-way hash, e.g. MD5) by Facebook and not visible to anyone else.

By: matty

matty — Thu, 10 Jul 2008 20:16:44 -0800

Seconding the email password change and checking for keyloggers.

While your friend is at it, he should change ALL his passwords... after checking for keyloggers, trojans, viruses, etc.

By: vytae

vytae — Thu, 10 Jul 2008 20:38:22 -0800

In my experience, Facebook won't let you be logged in from two locations simultaneously.

I can be logged in to facebook on my desktop in the bedroom and my laptop in the living room at the same time (much to my delight), so don't count on that being true.

By: ghostmanonsecond

ghostmanonsecond — Thu, 10 Jul 2008 20:38:59 -0800

"and surfs on an unsecured wireless connection"

I'm assuming that the 'unsecured' part of this is not clear... This means that everything your friend submits from his/her laptop to the internet can be viewed by any 12 year-old within wireless range that spends 10 minutes finding the right software. Think of an unsecured wireless connection as no different from yelling at the top of your lungs to your wireless router. If every time your friend signed in to facebook he yelled out "my email for facebook is 'email@mydomain.com' and my password is 'somepassword'" would you wonder how someone has access to his account?

Tell your friend to secure his wireless account with WPA. and then change ALL of his passwords that he used with the unsecured wireless connections.

By: vytae

vytae — Thu, 10 Jul 2008 20:39:50 -0800

surfs on an unsecured wireless connection

Also, could it be that a neighbor or fellow coffee-shop user or someone is watching through this unsecured connection, wherever it is? I'd recommend changing the passwords while hooked to a secured, preferably wired, network somewhere.

By: kidbritish

kidbritish — Thu, 10 Jul 2008 21:04:00 -0800

Wall posts attributed to the account are being made

Are they really Wall posts, or are they part of an application (e.g. FunWall or something like that)?

Several Facebook applications have a vulnerability where anyone can basically create new "posts" or "gifts" or whatever, and attribute them to a different user. There was an article about this in 2600 around 6 months ago or so, but I can't look it up at the moment.

By: homer2k1

homer2k1 — Thu, 10 Jul 2008 22:21:04 -0800

Is your friend logging in via the non-SSL location (http://www.facebook.com)? In addition to the things mentioned above, try using https://www.facebook.com instead (note the extra 's' in 'https').

By: cmonkey

cmonkey — Fri, 11 Jul 2008 03:31:28 -0800

I can be logged in to facebook on my desktop in the bedroom and my laptop in the living room at the same time (much to my delight), so don't count on that being true.

Facebook will see both of your machines as coming from one IP address, so you aren't really using it from two locations simultaneously.

By: odinsdream

odinsdream — Fri, 11 Jul 2008 07:09:20 -0800

Just to be on the safe side, your friend should not change his passwords using the computer they normally use. Change all passwords, but change them from another unrelated computer.

By: nomisxid

nomisxid — Fri, 11 Jul 2008 08:36:00 -0800

2nd'ing odinsdream. If the pc is compromised, changing passwords it a wasted effort. I would nuke from orbit, just to be sure, and do a clean install.

By: jacalata

jacalata — Sat, 12 Jul 2008 05:02:23 -0800

Facebook will see both of your machines as coming from one IP address, so you aren't really using it from two locations simultaneously.

I can be logged in at my home computer and also logged in at a computer at uni several suburbs away that uses a completely different IP range, so it's definitely possible to log in from multiple locations. (I can simultaneously check facebook from my mobile phone as well).

I would look into kidbritish's suggestions, there are some crap applications out there.

By: delmoi

delmoi — Sat, 12 Jul 2008 18:54:07 -0800

I'm assuming that the 'unsecured' part of this is not clear... This means that everything your friend submits from his/her laptop to the internet can be viewed by any 12 year-old within wireless range that spends 10 minutes finding the right software.

Not 'everything', just things which are not encrypted using SSL or other encryption methods.