Sometimes writing about security exploits is like shooting fish in a barrel. It's a "target-rich environment", as the fighter pilots say. And when it comes to screwing up security, big companies are just as likely to do it as little companies, if not more.
Facebook, the service that "helps you connect and share with the people in your life" has a dreadful record when it comes to privacy and security. Because of their "Oops-we-did-it-again" track record in not protecting their members data they should probably call themselves the service that "helps you connect and share with the people in your life, especially the marketers and identity thieves."
I'm not a fan of Facebook. I don't have a Facebook account, and I don't ever expect to have one. Those of you who do have had your personal information shared, stolen, and sold more times than I can count. But worse than the naked, mercenary greed of Facebook selling off your information to anyone who wants it is the ongoing examples of simple security incompetence at Facebook. A month or so ago, a mis-managed code update accidentally revealed "hundreds or thousands" of private user email addresses. Before that, Facebook was found to be accidentally sending private messages to the wrong users. And those are just a couple of examples.
But the hits just keep on coming. Just a week a go, security engineer Joey Tyson found and described a truly epic security hole in Facebook Platform- an exploit that would allow a malicious website operator to silently access all of a user's profile information, including photos, messages, and wall posts, and with zero action required on the user's part.
The exploit, which has now been patched, was able to hijack the session of a third party Facebook application and secretly pass it off to a malicious application. The result was that any of the many millions of people who had previously played Farmville and visited the malicious site would have their data invisibly harvested in the background, unbeknownst to them. Even worse, if the user had given Farmville permissions to access their Wall or messages, then the malicious application could do that too.
Considering Facebook has an enormous infrastructure with hundreds of engineers and software developers working for it, you'd think that they would have a better track record than this. Validating user permissions is not magic, nor is it something that's never been done in software before. Well, except at Facebook.