Sunday, May 7, 2017

Watch after your privacy: Needy Facebook Apps

Some of us (included myself) share a lot of personal information in Facebook. By nature we avoid publishing anything confidential nor delicate. We usually try to friend people who know for real. But often we forget about connected apps that have access to all our account, anytime, and that can act on our behalf.

A few weeks ago I saw a friend sharing some unusual posts lately. This person was never notified that this weird and garbage posts were made on their behalf. When I pointed it out my friend replied that was unaware of this, and thought has been hacked.

"Not so fast!" I said, and we reviewed together the almighty Privacy tab in the Facebook settings.



We didn't find anything suspicious there. So we moved to the Applications tab.


We found the rat! 🐀
As an astonishing surprise, we found a huge list of around 120 apps connected to the account. This are listed in the first section of the page called "Logged in with Facebook". This apps are third party companies that have access to a variety of information and actions on our behalf. Each app has its separate configuration.

To see what privileges each app has you can click on top of it to open a detailed window. Be careful not to click on the "x" that is shown when you hover the mouse on top of the particular app.


Example of the privileges an app has


Any app can be as needy as the company who created it wants, and even have the ability to post on your behalf. To know more about what permissions an app can request see the technical Facebook developer documentation in this link.

Going deeper on the problem
How this ~120 apps ended up in my friends account? Sometimes this surveys/quizzes that we take ask to link to our account and we oversee the requirements by just pushing "I accept"/"Link to account".
Some other times it's the default way to log in in other services, like Duolingo or Spotify (Please don't remove this apps otherwise you will have troubles logging in back again at their respective services).

In the past, apps used to always show a window specifying what things will be granted. This is no longer the case. Nowadays some games for example will automatically link to your account if you just open them. It will just display a small warning like this below.



By clicking on "Play Now", the company that created that game will have access to your full name, your email address, your list of friends, age, gender, profile picture, language, country and other public info.

How to be safe
The rule of the thumb is that most of the apps should not require any special permission than "Public profile". But for example apps like Duolingo also ask you to have access to your friends list, so that way the can show you a leaderboard of how well are your friends doing.
If you find an app that it's really needy, you can edit the permissions before installing it by clicking in "Edit the info you provide" shown in the previous picture.

Alternatively if you already have an app linked to your account, you can go to the app tab in your settings (https://www.facebook.com/settings?tab=applications), click on a given app and review what you are providing to them (check the third image in this article titled "Example of the privileges an app has").

What if we have old quizzes or other apps we will never use again?
I recommend go ahead and remove it! To do so, in the apps tab of Facebook settings hover the mouse on an app that you want to get rid of, click on the "x" that appears near the name of the app and you will be prompted by a dialog like this one below. But no so fast! I would strongly suggest to check the "Delete all your ____ activities..." so anything evil that the app published on your behalf is also removed.



Remember to stay safe!

Monday, March 6, 2017

From around the web March 2017

Boston Dynamics' new toy



Pix2pix
This TensorFlow model given a drawn tries to generate a real world image that match it.


Interactive website: https://affinelayer.com/pixsrv
TensorFlow model: https://github.com/phillipi/pix2pix

I created a beautiful cat:


Interesting reads from the web
Virtual reality directly in Chrome
https://blog.google/products/chrome/experience-virtual-reality-web-chrome/
Finding the coaching in criticism
https://hbr.org/2014/01/find-the-coaching-in-criticism
Using machine learning for a lawyer robot
http://www.trustedreviews.com/news/worlds-first-ai-robot-lawyer-overturns-160000-parking-tickets-uk
Twitter Bots during US elections
http://www.wired.co.uk/article/twitter-bots-democracy-usa-election
❖ A Filesystem that literally stores the information in a network.
https://github.com/yarrick/pingfs

Cloud Spanner
Google introduced Spanner, a global database service: distributed, high availability, scalable, global.



Amazon Go





Wednesday, March 1, 2017

Facebook is censoring the web

tl;dr: Facebook copies and stores GIFs from other websites by converting them to mp4 videos.

Driven by my curiosity and by chance, I did this interesting and a bit polemical finding.

I was browsing a friends wall and noticed an old GIF I published there. It was a funny picture of an actor. When I click on it to open the original website I encounter myself with a security warning, and there was no way to proceed to the apparently "unsafe website".

Original post

Malicious website warning

By checking the source HTML of the page I discovered that the gif that I was seeing in my friends wall was an infinite loop video hosted in Facebook's servers "video-lga3-1.xx.fbcdn.net". And I was able to see the video in an embed player.

HTML source of the page

Embed video direct link hosted by Facebook

Finally, one last interesting thing is that Facebook stores and sends along the original URL of the image, but this is encoded and as part as their URL requests. Maybe they are using this to do some sort of caching?
This last finding allowed me to recover the original url:


Now I am able to share again the link with other friends, outside of Facebook.