Facebook myPersonality App Exposing its Sold Data on You

Discussion in '[H]ard|OCP Front Page News' started by Kyle_Bennett, May 15, 2018.

  1. Kyle_Bennett

    Kyle_Bennett El Chingón Staff Member

    Messages:
    53,969
    Joined:
    May 18, 1997
    I guess if you just leave all that personal data you collected for sale to others openly exposed on the web for years, you have to wonder how valuable it truly is. That said, the myPersonality Facebook app did actually scrub your name off before exposing your personal data online. Apparently someone working for the app shared some of the code on GitHub, and put working login credentials in the code as well that allowed access to the database, for four years.


    Academics at the University of Cambridge distributed the data from the personality quiz app myPersonality to hundreds of researchers via a website with insufficient security provisions, which led to it being left vulnerable to access for four years. Gaining access illicitly was relatively easy.

    The publicly available username and password were sitting on the code-sharing website GitHub. They had been passed from a university lecturer to some students for a course project on creating a tool for processing Facebook data. Uploading code to GitHub is very common in computer science as it allows others to reuse parts of your work, but the students included the working login credentials too.
     
  2. katanaD

    katanaD [H]ard|Gawd

    Messages:
    1,588
    Joined:
    Nov 15, 2016

    once again proving.. the most effective "hackers" on the planet.. are the end users...


    LOL
     
  3. kju1

    kju1 2[H]4U

    Messages:
    2,668
    Joined:
    Mar 27, 2002
    Whats even more annoying is this is a a really easy security problem to fix. I.E. Dont fucking include passwords in code files and scan your repos with a tool along the lines of Gitrob to ensure nobody is doing stupid shit...
     
  4. Dead Parrot

    Dead Parrot [H]ard|Gawd

    Messages:
    1,977
    Joined:
    Mar 4, 2013
    This is what happens when non IT folks learn just enough coding skills to get done what they need done. Especially prevalent in the academic fields where paying for an real IT person has to be budgeted. "I don't need to hire an IT person and go through all of that University, State and Federal paperwork, I have a SQL and Javascript book and I sat in on Website Design 101 ten years ago!"
     
  5. SomeoneElse

    SomeoneElse [H]ard|Gawd

    Messages:
    1,440
    Joined:
    Jan 16, 2007
    Don't hire college students straight from school to fill senior level positions? I always thought experience trumps education level every time. Maybe I'm just old school like that.
     
    Gottfried Leibnizzle likes this.
  6. WhoMe

    WhoMe Gawd

    Messages:
    737
    Joined:
    Jan 3, 2018
    Hard coding the passwords, we weren't that dumb even in the 80's ;). This is just pathetic.
     
  7. kju1

    kju1 2[H]4U

    Messages:
    2,668
    Joined:
    Mar 27, 2002
    You may not have been that stupid in the 80s but I guarantee you there were plenty of people that were that stupid. It was just a whole lot less likely for anyone to care to report on it...
     
  8. WhoMe

    WhoMe Gawd

    Messages:
    737
    Joined:
    Jan 3, 2018
    Hence my wink, yes I saw it done. Some things are never learned.