How I used Facebook and lost all my personal content?

If you have read part 4 of my article, and you definitely should, and now part 5 is an extension of that. Remember that most Facebook apps requires you to accept granting permission for your information to be provided to the other side. And that, supposedly they agree not to store that information but we had severe doubts about it. Well, here is how to get your information transferred right under your nose… And a real demonstration of how I lost all my personal information by doing what I thought to be safe and innocent enough…installing a Facebook app like everyone else does, and here’s what follows…


We found an interesting app FriendCSV that promises to help to extract friend information from our account into a CSV file. As usual we went ahead to add the app and got the usual annoying confirmation screen. Like most unsuspecting users, we ignored all the ticks and click the “Add FriendCSV” button. After this, we’re on our way to use this application and hoping to live happily ever after. Well not so fast!!!!!!!!!!!!!! What you did not see, as usual, is the fine print as soon as you click the “Add” button…

The fine print read: This application has been created in accordance with the terms and condition outlined in the Facebook Terms of Use (May 24, 2007), Facebook Privacy Policy (Sept 12, 2007), and the Facebook Platform Terms of Service and Platform Documentation (July 25, 2007). The data exported from your cadre of friends is obtained in accordance with their Privacy Settings and does not contain any contact information. By using this application, you consent to allow the developers to create a basic entry for you on bigsight.org, a site they also own and maintain. Your use of this application represents your consent to the privacy policies laid out on bigsight.org. The developers of this application do not store any information (encrypted or otherwise) about your friends. No warranty is provided with this application. Questions and concerns should be addressed to friendcsv@bigsight.org. 
Boy, do you really think anyone would be reading this. Here’s what happened next. Upon confirming that we want to run the extraction using this app, and the BigSight.org managed to retrieve all our information. At this stage we don’t know what they extracted.
It didn’t take long, and soon we found out, the hard way though, by Googling on our own name. Google helped to displayed a link that’s related to my name. I clicked on it and a brand new page was created at BigSight.org.

Now I was shocked because somehow I thought I got signed up to something without my explicit knowledge. Of course, the truth is, shame on me for not reading all the fine prints first. Well we know not everyone would. Funny enough though, I was never emailed my login or password. So this page could have been sitting out there without my knowledge for as long as I continued to be ignorant…
After failing to login to the site, I clicked on the forgotten password link and was emailed a new password. Upon entry, it was evident that alot of information had been transferred over: my name, my location, my birthday etc etc… But that’s not all…

I clicked on the photos link, and boom they got everyone of my photos that I uploaded to Facebook.  Of course, the photos were still being stored inside of Facebook, but they every link that goes with the album and pictures to re-create them was all there. Yes you hear it right, all my albums and all my picturesthat I thought I’d only be sharing with my friends are now displayed, indexed by search engine, in broad day light.

Further clicking and exploring the site showed that all the pictures below the album can be displayed and viewed. So overnight, where my personal pictures were supposedly to be only viewable by my friends, instead, they are now available to display to the whole world. And so, I don’t even think I need to be as smart as Byron Ng (i.e. the guy who hacked Paris Hilton’s photos on Facebook). All I have to do is send Paris an application invite to this application for her to click on…and I’ll get to see all her photos.
Here’s the thing, while I understood that my personal pictures were accessible via http (i.e. direct link to them), on Facebook, I’d normally have to actually send the link to people that I wish to share with. In addition, I may only send one album at a time. But thanks to BigSight.org, they have retrieved every single album and picture, and put it up for public display. But thank God I don’t have any incriminating images…
Another thing is when you’re not a Facebook developer, you don’t know what information the developers have access to. Sure Facebook does help by not passing our email address to them and instructing all information extracted should not be stored, but that’s clearly loopholes. The fine print, though I am not a lawyer, may provide the application developer the right to store the information they got form us? Who knows? If you know, please comment below.

Here’s an even smarter trick they did… Remember the FriendCSV application is suppose to provide me a comma-separated text file of my friends? Well they asked the user to enter an email address so that when the extraction is done,  they can email it to me. And so I entered my facebook email address into it. Needless to say, the CSV file never came despite multiple trys. But what they did, was harvested that email address I typed in for their use. And in my profile, that email address was displayed for contact. That’s pretty sneaky because while Facebook application developers have no way of extracting user’s email contact, these guys have found a way (almost as bad as phishing), to get you to enter the information that they want.
Of course this whol demonstration was done after doing thorough research. We didn’t really lose any information of our own. But we attempt to expose to you how it’s done, so that you can be careful.
The moral of the story is “How much trust can you place on Facebook or the developers that they’ll handle your information properly?”.

• Will your information be sold to spammers?
• Will your information be handed over to marketers?
• Will your information be populated and broadcast to the world without you knowing (even if you’re suppose to know if you read the fineprints)?
• Will you information be mis-used?

How will you deal with this?

1. Read part 4 of the “How to hack a Facebook account articles again”.
2. Read all the fine prints before using an application.
3. Search your online identity from time to time. Google your name or related words.
4. Use psuedo-account online. I know this is especially hard with Facebook because you expect people to find you. But you probably need to do it anyway.
5. Upon finding out this kind of activity, report them to Facebook, lobby for change.
6. Remove your profile from any web site that you do not wish to host information about you. You don’t know what they’ll do next if you continue to participate in their web site or scheme. Remember most of these web site are trying to leverage Facebook for information and traffic so that they can sell ads; or make their company go big, raise funding or go public.

This article concludes our exploration of Facebook’s online security issue. I had alot of fun doing it because I loved using Facebook. I use it almost every week. But like others, we’re not always careful with what we do online. While other websites contain limited information about us, Facebook’s sharing capability allows information to flow beyond our eyes. What goes behind the scene, social engineering, application developer engineering and the likes are methods that could lure your most intimate information out of you, into their hands.
Stay safe online. And if you like what you read, please subscribe our RSS feed by clicking on the top right hand corner or enter an email address!