Facebook API abuse can expose private user data, say hackers !!!!

IDG News Service - Facebook is ignoring a serious shortcoming in the way it limits application developers' access to information about Facebook users, according to a pair of hackers.

The problem is in the way Facebook's APIs (application programming interfaces) work, and could even lead to unauthorized password changes, according to hatter and ErrProne, two members of hacking think-tank Blackhat Academy.

Facebook applications use a special query language called FQL (Facebook Query Language) to extract and modify user information stored in the social network's database. This proprietary language is well documented and the information is public, allowing anyone to learn it.

Querying sensitive user information such as email addresses through FQL requires an API key, a unique identifier Facebook attributes to each app, but a lot of other private information can be extracted from the database without any such restrictions. The two hackers even provided working proof-of-concept code in their advisory.

According to hatter, API keys have too much power from the moment they are issued, and obtaining one is simple. A malicious programmer could obtain and abuse an API key while the associated app was still in development. Applications have access to more data while in that phase, before they are released; after Facebook reviews an app, it will restrict its rights to allow access only to the data the app needs to function.

However, attackers don't even need their own API key to extract data. They can piggyback on the key of a legitimate app by installing it on their profile and feeding it information requests with altered user ids. Depending on the application's permissions, this technique can be used to gather information from other users with the app installed, even if those users only shared the information with their friends.

This sort of abuse would likely be detected quickly by Facebook's security team, but attackers would still have enough time to grab the information they want before being blocked.

Blackhat Academy notified Facebook of this issue over two months ago, according to Hatter, and the group decided to publish the details only because the social networking giant doesn't share its concerns.

A Facebook spokesman dismissed the claims, saying: "What this person calls an 'FQL Injection' is simply our Facebook Platform APIs working as intended."

"We have a dedicated team that does a robust review of the applications accessing our APIs. This team uses a risk-based approach, looking at applications' velocity as defined by number of users or pieces of data shared," said the spokesman. "When a potentially bad application is reported to us or detected by our systems, we act swiftly to remove or sanction it before it gains access to data."

The hackers disagree, saying that Facebook probably didn't understand the full scope of the attack. "FQL injection is present in applications -- or you can just query the API directly," said Hatter.

The hacker is not convinced of the efficiency of Facebook's defenses either. "Analyzing applications based on velocity is awesome against worms and malware that spread rapidly. However, if a single user is the desired target, it does not help so much. An attacker could easily trick the target into running a single malicious app," he said.

Facebook's application platform has long been a source of privacy and security risks. Earlier this year, it was discovered that many apps, even top ones, were sharing and in some cases selling user ids to advertisers. This allowed them to build profiles used for behavioral advertising.

Earlier this week Trend Micro reported an incident where attackers managed to serve drive-by download exploits through malicious ads displayed in a legitimate app. These are clear indications that Facebook can't guarantee a good behavior from every app on its network and the overexposed APIs are just one more thing ill-intentioned individuals can exploit.

Apple has lost a visionary and creative genius !!!!!! :(

The co-founder of Apple was 56 years old. Jobs had been battling a rare form of pancreatic cancer for years.

MAKING OF APPLE COMPUTERS : TIMELINE
===========================

1976: In April 1976, 26-year old Steve Wozniak and 21 year-old Steve Jobs, both college dropouts found Apple Computer, Inc. Both partners had sold their most valuable possessions, a van and two calculators to raise USD 1,300 to start the company.

1980: Apple renewed itself into public ownership in December 1980. Its offering of 4.6 million shares at USD 22 each sold out in minutes. 1981’s second offering of 2.6 million shares too sold out almost immediately.

1982: By January 1982, Apple had sold 6,50,000 computers worldwide. And, in December 1982, it became the first personal computer company to reach the USD 1 billion mark in annual sales.

1984: Debut of the Macintosh — Apple sold 70,000 Macintosh computers in the first 100 days. However, Macintosh sales temporarily fell-off after a promising start, and the company was disturbed by internal problems.

1985: Internal strife continued, John Sculley assumed the helm post the departure of Jobs and other Apple executives. They founded a new computer company, NeXT Incorporated as a rival to Apple.

1991: 1990s saw the crippling an industry giant at the back of mismanagement. However, the PowerBook series released in 1991 garnered a 21% market share in less than six months —Apple was all set to ride the digital wave of the next century.

1996: Return of Jobs — In December 1996, Apple paid USD 377 million to buy NeXT, led by Steve Jobs. Jobs, Apple's visionary was back as a special advisor, 12-years after he had left.

1997: Steve Jobs was named interim chief executive officer and Apple now focused exclusively on desktop and portable Macintoshes. Jobs shut plants, laid off thousands of workers, and sold stock to rival Microsoft for receiving cash infusion of USD 150 million in exchange.

1998: Though Apple's organizational hierarchy underwent sweeping reorganization in 1997, the most visible indication of Jobs's return was unveiled in August 1998. The all-in-one massively successful iMac was released.

2000: Jobs well done — With Jobs’s restorative efforts, Apple was again a profitable company. The company gained 94% in net income, profits swelled to USD 601 million and stock climbed 140% in 1999. And, Jobs's returned to Apple on a permanent basis.


2008: Apple’s shares began a dramatic climb with soaring sales and earnings. From USD 119 in late-February 2008, the stocks were nearly USD 190 in May 2008 and then crashed with the market meltdown later that year.

2011: Reinforcing the rise since the start of 2009, Apple has been witnessing explosive growth in sales and profit from iPhones, iPods, iPads and Macs.

August 25, 2011: Apple shares tumbled as much as 7% today, as a knee-jerk reaction to Jobs’s resignation. The world's most valuable technology firm now has all eyes and every weight on the shoulders of Tim Cook, who earlier had stepped in as interim CEO numerous times.