
It's not really malware if it doesn't work
10 publicly visible posts • joined 23 Sep 2009
You can do more than phonecalls.
Go into the contacts, and you can send an email by sharing a contact. You can send an MMS the same way. Once in the MMS app, click the camera and you can view all the photos on the phone, or use the camera.
You can edit contacts, change ringtones.
You can access the paste buffer and see what the last copy/cut/paste was.
You can enter the user's voicemail (if they've saved their password). From there, listen to their messages, change their password, etc.
Of course, you can view all the contacts, edit them, delete, add, and view recent calls.
Pretty heavy-duty flaw if you ask me.
Nope - that won't turn it off. If you're very clever, and dig deep enough, you will find Facebook's statement that you can't turn that bit off. They tell you quite clearly that sites can get your name and location, because it is "public information".
Read their statement like you were a lawyer:
""When you visit a Facebook-enhanced application or website, it may access any information you have made visible to Everyone (Edit Profile Privacy) as well as your publicly available information. This includes your Name, Profile Picture, Gender, Current City, Networks, Friend List, and Pages. The application will request your permission to access any additional information it needs."
There is one way to kill it, and that's to set up a dummy entry in your hosts file for the site they use for this (connect.facebook.net). This does break some Facebook functionality though.
Check it out for yoruself. Open Facebook in one window and log in. Browse around CNN's site in another winodw until you find a page that supports Facebook comments and see your name there. If you have some tool that shows you all the connections behind the scenes (like Safari on Mac's Activity window) you'll see the connection (and their JS file) even on CNN's main page. That means CNN knows your name even before you reach a comments page.
Worse yet, if you told Facebook to keep you logged in, this can happen when you don't have Facebook actually open, since it uses your Facebook cookies.
You can of course disable Javascript too. Or delete your Facebook account.
Even the most security conscious people can't turn off what I consider is the worst of their "features".
If you are logged into Facebook, and visit certain websites (CNN for one), those sites can pull your name and location information without your knowledge or consent.
CNN is already using this on some of their pages, and you may not have noticed. Some of their pages allow you to post comments. If you're logged into Facebook, your name will already appear in the comments section, ready for you to post a comment. This is done through some fancy Javascript that talks to one of the Facebook authentication servers, using credentials from your Facebook cookies fro your other open window *.
Facebook's privacy settings do not allow you to disable this "feature". So, you just need to visit a site and wham, they just got your name and location.
Someone should sue Facebook for millions for this one.
* Some versions of IE on Windows seem to successfully block this.
Now that Facebook has "vanity" ID's, half of the security of a user's logon is gone. It used to be that for someone to get into my account, they had to know what email address I used, plus my password. Now they know my logon ID, as the vanity ID can be used as a login. And of course, they can get that from the URL of my profile page.
Now all they need is to guess my password, since they already have my logon ID.
Kind of lame that Facebook does something so obvious as this.
Why should someone lose their privacy because a bank employee made an error?
Besides, why are they sending any private information unencrypted through email? If it was encrypted, this would be a non-issue. Even if the employee got the right address, anyone could intercept an unencrypted file anywhere along the way.
If they sent me such a file, they would have to buy it back off me. Lord knows, they would charge me a penalty if I made some banking error.