Posts by Andre 4

It's not really malware if it doesn't work

More than phone calls

You can do more than phonecalls.

Go into the contacts, and you can send an email by sharing a contact. You can send an MMS the same way. Once in the MMS app, click the camera and you can view all the photos on the phone, or use the camera.

You can edit contacts, change ringtones.

You can access the paste buffer and see what the last copy/cut/paste was.

You can enter the user's voicemail (if they've saved their password). From there, listen to their messages, change their password, etc.

Of course, you can view all the contacts, edit them, delete, add, and view recent calls.

Pretty heavy-duty flaw if you ask me.

Wow...

....this sounds so.... American!

If I wrote code...

I'd check for buffer overflow problems. You'd think they'd have caught onto this sort of thing by now.

@jhermans

Nope - that won't turn it off. If you're very clever, and dig deep enough, you will find Facebook's statement that you can't turn that bit off. They tell you quite clearly that sites can get your name and location, because it is "public information".

Read their statement like you were a lawyer:

""When you visit a Facebook-enhanced application or website, it may access any information you have made visible to Everyone (Edit Profile Privacy) as well as your publicly available information. This includes your Name, Profile Picture, Gender, Current City, Networks, Friend List, and Pages. The application will request your permission to access any additional information it needs."

There is one way to kill it, and that's to set up a dummy entry in your hosts file for the site they use for this (connect.facebook.net). This does break some Facebook functionality though.

Check it out for yoruself. Open Facebook in one window and log in. Browse around CNN's site in another winodw until you find a page that supports Facebook comments and see your name there. If you have some tool that shows you all the connections behind the scenes (like Safari on Mac's Activity window) you'll see the connection (and their JS file) even on CNN's main page. That means CNN knows your name even before you reach a comments page.

Worse yet, if you told Facebook to keep you logged in, this can happen when you don't have Facebook actually open, since it uses your Facebook cookies.

You can of course disable Javascript too. Or delete your Facebook account.

Can't resist...

Is that why they call them mag strip dumps?

Well...

Anybody that does banking transactions on a jailbroken phone - with a default password - is a fidiot.

How about the front door?

Now that Facebook has "vanity" ID's, half of the security of a user's logon is gone. It used to be that for someone to get into my account, they had to know what email address I used, plus my password. Now they know my logon ID, as the vanity ID can be used as a login. And of course, they can get that from the URL of my profile page.

Now all they need is to guess my password, since they already have my logon ID.

Kind of lame that Facebook does something so obvious as this.