Facebook Connect observation

Here’s a bit of a dud write-up. Dud because the risks are minimal, as I realised when I started looking into cross-domain iframe DOM scraping… But potentially interesting reading for web developers nonetheless.

If you have been browsing the internet lately, you have more than likely seen a Facebook Connect box. It looks like this:

This particular screenshot is taken from Gameplanet Forums, but Facebook Connect makes it easy for any website developer to embed the panel into their website. I could put one on tom.net.nz, if I was so inclined.

Now, Facebook would argue that this frame is a naive, harmless feature, because the information is never passed directly to the website in question, but rather the website just embeds a little piece of code, and Facebook generates the actual content of the pane. The code embedded is identical for any user visiting the website.

This is all well and good, however (!), the content that Facebook generates for this pane will differ depending on whether or not the user viewing it is currently logged into Facebook. If they are, then Facebook tries to show information more “relevant” to that user. For example, in the above screenshot, “Matt” is my friend on Facebook (and the only person in my friends who has “liked” Gameplanet on Facebook). The other people are generated randomly, but no matter how many times I refresh the page, Matt will always appear in the list. Do you see where this is going?

One might assume that Facebook has put some measures in place to stop the site from scraping this information, however the tech savvy can follow the following link which generates the box for Gameplanet’s Facebook Connect pane: link. If you view the source, there are all the names, in plain HTML, with links to both the photo, and (perhaps more disturbingly), the profile of each person. I was also able to scrape my own user ID from the HTML. Fortunately, in most modern browsers, XSS (Cross-Site Scripting) protection prevents the parent page from accessing the DOM of Facebook’s frame, but this is still a major potential security problem for older browsers which don’t have such protection built-in. By inspecting the list of users on a few page loads and looking for duplicate names, a malicious site could ascertain who is friends with the user browsing the page. The parameters passed to the frame source allow significant customization of the response, for example with a bit of tweaking I was able to come up with the following source, which now shows 100 users instead of the default 15. To take it a step further, a malicious page could potentially load this frame without even showing it, meaning the user would be completely unaware that the site was doing anything to do with Facebook, meanwhile it’s scraping the user’s private information.

Of course, those using a remotely modern browser do not have to worry about this sort of attack… But I think it does highlight the potential risks associated with these completely unnecessary “features” – not to mention the dangers of using an out-of-date browser. I would have hoped that at the very least Facebook would have performed some source obfuscation or dynamic JavaScript DOM population.

June 21st, 2010 | Posted in Code, Intarwebs | No Comments »

Framework

I’ve finally decided on a platform/framework for Money Mouth. I was tossing up CakePHP, Django, and Ruby on Rails, and decided to go with something else again: Pinax.

Pinax is a framework upon a framework, effectively. It is built as an additional layer above Django, that adds many niceties out of the box, such as email verification, profile management, login/registration, OpenID support, user messaging, groups, wikis, blogging, etc etc. I have a basic structure in place that currently displays a plain home page, and allows login/registration. Hopefully using Pinax will allow me to quickly develop and extend Money Mouth when I actually sit down to write the meat of the code.

I also set myself up with a nice little deployment script on my WebFaction hosting for pulling down the latest copy of my code from SVN, which should save me additional time.

June 9th, 2010 | Posted in Money Mouth | No Comments »

Moving

For a long time, I’ve been interested in software development and computer programming. At some point in my mid-teens I worked out that I could get paid to write code, something I already enjoyed doing. It was from this time that I had vague aspirations to move overseas and work at a large software organisation, and even back then, the first one that always came to mind was Microsoft.

Those aspirations had always been in the back of my mind, while I worked on my Bachelor of Engineering, and worked at Canary. After an initial application attempt to Microsoft in 2008 that was thwarted by the recession, I decided to prepare my CV once again at the end of last year (2009). Without much further thought, I submitted it to Microsoft. Then about a month ago, I received an email that I was to be having an interview over the phone. As far as I could tell, this phone interview went atrociously, but contrary to my expectations I received an email a week later detailing plans to fly me over to Sydney to interview in person with a few recruiters. I arrived back from said flight this morning.

Long story short, I will be moving to Microsoft’s Redmond HQ in Seattle, USA. This will be taking place in late September.

This is pretty much a dream come true, and I’m stoked to actually be seeing those aspirations from so long ago become reality. I have long said that I would not be looking for another job in New Zealand, and I have truly enjoyed my time working at Canary. However, the opportunity to be able to work in another country and see some more of the world was simply too great to pass up. I believe that I will also find more room for personal growth and career advancement in a larger company. By the way, quick plug for our job ad, if you’re a software developer in Auckland.

This change is not without its drawbacks, and I will miss much about my life in New Zealand, not the least of which being proximity to family, and the friends that I have grown close to in Auckland over these last few years. I will miss you all like crazy. I hope to have a blast with my last few months in New Zealand (let’s hit the snow!), and no doubt I’ll be spending the majority of my annual leave here (New Year’s anyone?).

Keep an eye out for some sort of leaving party!

Cheers.

May 19th, 2010 | Posted in Code, Life | 2 Comments »

Winter

So winter is just around the corner here in New Zealand. Which means crappy weather, short days, and SNOW!!!

Can’t wait.

May 13th, 2010 | Posted in Life | No Comments »

Disillusioned with Facebook

Like more than 400 million other people on this planet, I belong to a little site called Facebook. I was what you might call an “early adopter”, at least in New Zealand. I joined when the site was only open to university/college students (requiring one to have a university email to register). I believe it had been running for a couple years before they added New Zealand universities to those eligible for registration. I was literally within the first hundred or so people to sign up for it at the University of Auckland, on the 26th of February, 2006.

That’s more than 4 years ago now, and it’s kind of saddening to see how Facebook has changed in that time. When I first joined, I immediately liked it for the following reasons:

• It did photos better than any other site I’d seen, with photo tagging and a simple interface (I was on MySpace, Friendster and Bebo at the time, none of which had photo tagging).
• You couldn’t do any customisation of page appearance. Everyone’s profile was clean and uncluttered. (BIG contrast with both MySpace and Bebo). There wasn’t any extra cruft, and you couldn’t add images and music and videos and so on into your profile. This alone made me love Facebook more than anything I’d used before. My eyes would no longer bleed when looking at peoples’ profiles. No more sparkly stuff, or god awful music that started playing as soon as you opened a page. Thank God.
• Privacy was the default, not a hidden option. You couldn’t see anyone’s stuff unless they opted to make it public, or you added them as a friend.

Overall, it just felt much nicer and cleaner than anything I’d used before. I promptly told all my university-attending friends about it, and a few months later, ditched the other three sites. Then started the slow and steady decline. You may or may not have been around to see some of these changes:

• The opening of registration to anyone and everyone. Suddenly the site was full of preteens and teenagers that (quite frankly) I was happy to have left behind on MySpace and Bebo. When it was only open to university students, it had an “exclusive” feel to it, which was nice.
• The introduction of applications. This one particularly pissed me off. I was getting constant spam from other people “inviting” me to use the applications they were using, and my news feed was full of junk about other peoples’ application activity. Worst of all, the thing that originally had me most excited (the clean, uncluttered appearance of profiles) was now pretty severely compromised. While you still couldn’t change the appearance of your page in terms of background colours/images, and while the layout was still roughly the same, pages were now full of “fishtanks” and “DO U LIEK ME?” questionnaires, and other such junk. This is now better under control, with applications appearing either in the small column to the left of profiles, or in the “Boxes” tab, but it was certainly annoying at the time.
• The gradual erosion of user privacy over the years. This has almost happened so slowly that it’s been unnoticeable, but Facebook is (at its current stage of development) trying to stick its finger in too many pies. It is pandering to its partners and developers, by giving them more access to user information, at the cost of user privacy. With the likes of Beacon (now shut down, two years after its inception), Connections and Open Graph now making your public information available to third parties, it has now reached the point where it seems they no longer care about their users as anything other than a revenue source. The information being shared with third parties notably includes information that you can set the “Visibility” of to “Only Friends” in your privacy settings. Apparently Visibility only refers to other Facebook users, and some third parties are exempt from such restrictions. Users essentially have no control at all over where this information could end up.
• Along with the occasional reduction in default privacy settings (or removal of privacy completely from certain items), Facebook seems to be deliberately making it difficult for you to opt out of these settings.

Perhaps even more worrying, is how few people are actually even aware of this erosion of privacy. Facebook have done a good job of keeping it pretty well hidden, or glazed over as “enhancing the experience”. Of course, most people (myself included) don’t read privacy policies (often pages and pages worth) every few months.

Of course, a social networking site is only useful if there are a good proportion of the people you care about using it. With that in mind, Facebook is still good from the perspective of sharing photos, organising events, and communicating with friends. However, I have stripped most of my personal information from the site (bar photos), and will gladly move to a new platform if it can grab me in the same way that Facebook did when it first appeared on the scene.

In particular, I’ll be keeping an eye on Diaspora, an intriguing project about to start development, which promises to deliver on the concept of an “open source” social network. In a nutshell, it’s a network of personal “nodes”. Each person on the network owns their own node, to which they can add whatever information they like, and access it from anywhere. In turn, they have fine-grained control over who can see that information. Think about it like your own personal house that contains your personal information (basically everything that you’d otherwise be sharing on Facebook/Flickr/LastFM/Twitter/etc), and you can open the door two whomever you (and only you) choose. Because you own the house, you can demolish it at any time, or add and remove furniture as you please. It’s also being developed by a bunch of super nerds, so I can totally get behind it:

Hopefully it amounts to something! My biggest concern is that it’s very technical and geeky at this point in time, so they will need a good marketing team with a pitch for the masses before it gains any real ground.

May 6th, 2010 | Posted in Intarwebs | 2 Comments »