Not sure how they are doing this, but I have gotten tired of having to play “whack-a-mole” with FB scraping private information from my browser in other ways, so what I have done is sandboxed it: I have a separate “Facebook” account on OS X, and I assume that anything I do on that account is shared with Facebook.
I don’t log into Facebook for any reason on my normal user account, and I don’t log into anything else on my Facebook account. They can still sniff certain things using browser fingerprinting and so on, but this seems like the best I can do for the moment on my desktop.
Did you happen to read the answers? Two specifically mention that Facebook requests authentication access (OpenID, I believe) the first time. It appears this user authorized Facebook at some point in the past and forgot about it.
When I look at this page: https://accounts.google.com/b/0/IssuedAuthSubTokens I can see that at some point in the past, I allowed Facebook access to my Google Contacts (probably their "find friends" feature). Facebook could use that to check if you're logged in.
When I tried it, Facebook created a popup with a OAuth prompt the first time and only briefly opened a blank popup on subsequent attempts. De-authorizing facebook makes the prompts appear again."
Unless they're talking about two different prompts?
> I have done is sandboxed it: I have a separate “Facebook” account on OS X
At what point will you decide to ban Facebook? Will you stop using their services if they find a way to spy on your cross-browser behavior? Or will you just sandbox them further into a VM, or even another physical machine? What if other sites you use regularly also start tracking you so aggressively?
I deleted my FB account when I learned that more of my profile info was being made public over time. This was before Like buttons.
I was not a heavy user, but this decision had its price; there are people I no longer communicate with because of it. Still, I'm happy I took a stand, all the more so because things have deteriorated much further since then in terms of privacy.
I have a dedicated Firefox profile for Facebook. This keeps all cookies separate. I haven't done a deep check as to whether this avoids all the Facebook problems, but it's a start.
You make an interesting point--why is it the technically savvy are partitioning their FB usage, but not necessarily partitioning their secure accounts in the same way?
Chrome supports multiple profiles now, see http://chrome.blogspot.com/2011/11/take-your-chrome-stuff-wi.... I can't believe so few HN readers know this, since it's the best way to use seperately Google Apps and Gmail accounts. It works for Facebook too, obviously.
You can sync all Chrome browsers, on all your devices, with both your Google Apps account for work and your personal Gmail account. It means that each profile have their own bookmarks, history & most visited pages, extensions, saved passwords (...) synced in real-time (you can even sync open tabs!). It's very powerful to improve your focus, because you only use 1 browser (no need to switch your habits) and you're never get distracted by notifications, mails, docs, rss when you're in your work/perso "station".
With the "Like" button littered all over the web, Facebook can still connect you to all the websites that have the Like button installed! That's why I prefer AdBlock/Privacy Filters/even blocking Facebook domains by adding entries to /etc/hosts file to prevent even even a connection to their (known) IPs.
That's a pretty solid way to handle security. I wonder if there's a way to make sure you're always booting from the same starting point so that nothing is persisted to the image between vm sessions.
I have been spending a lot of time looking into how to best solve the web's current facebook problem. I'm especially interested in approaches to distributed social networking (think what the Diaspora guys are aiming at).
With that preface, it's my impression right now that https://singly.com deserves a serious look from communities such as hacker news. So, I'm mentioning it here.
A little about them: they're led by the guy who created XMPP (aka Jabber). He's written a new distributed protocol based on JSON instead of XML ( http://www.telehash.org/ ). They've been joined by the guy who lead Canonical (publishers of Ubuntu). Like Wordpress, they are part free software project and part optional hosting company.
No, I am not affiliated with them. But I am really thinking that I would like to be...
A bunch of organizations seem to be more consistent adding "Events" to their Facebook page than updating their website, also, so I need to periodically check if I don't want to miss things.
If there are people who can cut you off for not using FB, that means simply that you are less important to them than they are to you. It means that they are strong and you are weak. Are you seriously going to let such people emotionally blackmail you into using FB?
Situations like yours always remind me of how people emotionally force each other to stay in a religion, by threatening a cut-off of communication if they leave.
In Criminal Minds, they talk about a perp devolving .. as business pressures increment[1] .. these incidents will only increase in occurrence and decrease in terms of surprise for users.
I was browsing Facebook in Chromium in Mac OS when all of sudden, something started requesting Key Chain access for just just about every web site login I have stored. Coincidence? I have no idea what was going on, never happened before or since.
I'm familiar with DDG, donttrack.us, dontbubble.us. My question was because even without an account or using its search engine, with AdWords and other products, Google is able to track people to provide them – and those who fall in the same bucket – targeted advertisement (which is what Facebook uses the same data for).
I am not much concerned about this – but I'm starting to, sometimes it is actually a bit creepy –, but I see a lot more people concerned about Facebook tracking them than Google, which I don't understand, since Google has been doing it far longer and in a much more pervasive way, yet very few people express concern about Google these days. I remember the uproar when Gmail introduced content targeted ads, but now nobody cares anymore, directing all attention only to Facebook.
Tangentially, the issues raised by dontbubble.us concern me more than being tracked.
Kind of – I have one separate browser for Facebook and Google (as in all Google products where I'm logged in). All my other browsing is done in my main browser through Tor, including my searches for which I use Scroogle.
Facebook doesn't really have a targeted audience anymore. It's pretty much everybody. At this point its like deciding not to use the telephone because the line could be tapped. Facebook is becoming an essential communications platform for a lot of people. Particularly people under 20.
Events - a lot of people post events on Facebook and trust that all of their friends will see it.
Photos - a lot of people only share photos through Facebook. If you want to see or download photos someone has taken at an event you were at your probably need to use Facebook.
Email - most younger people do not use email (unless they have to for school/business. Instead they use Facebook messages.
I won't bother addressing you last comment. Maybe your experience of high-scool was different than mine was, which consisted of a lot more that 'silly high-school gossip'.
Really though, you're choosing to socially isolate yourself in two ways. First from everyone using Facebook for social organization (the status stream is considered as almost a joke by now by a large portion if users).
But you're also isolating yourself by simply drawing a point that you don't have Facebook anymore. It's an eye roll producer on the level of saying "Oh, I don't have cable/TV anymore." Sure, lots of people agree with that notion but it's used to drive a wedge in-between you and others by most
It's not very hard to do. The trick is to know a resource that only the user can access and then trigger an HTTP request to it.
For instance if you have website a and say the user profile "mitsuhiko" can only be edited when you are logged in as "mitsuhiko" on http://a.example.com/profile/edit/mitsuhiko you could use this code to see if the logged in user is "mitsuhiko":
Why does this work? Because onload is fired if the resource answers with 200 OK, not if it's a valid script. onerror is called for any other error code.
So if you know what you are probing for: easy.
// Edit: Yes, this is most likely not what Facebook is doing if that's their only method of security. However see my reply to the first comment here about the security aspect for a possible way to solve this problem.
Except something like this would be easily spoofable, ie. you could set your hosts file to make all a.example.com links return HTTP 200's, or open firebug to call user_is_logged_in() and you could reset passwords without any email.
Also, for something like that you should use <img> instead so it's less of an XSS risk.
> Except something like this would be easily spoofable, ie. you could set your hosts file to make all a.example.com links return HTTP 200's, or open firebug to call user_is_logged_in() and you could reset passwords without any email.
Yes. But depending on how gmail works it could me made reliable and secure. For instance if you can share images with gmail users you could generate a unique image for that user, do the same thing with an <img> tag, access the image data with JavaScript, send it back to the server and compare if the contents are the one you shared.
I do not have a gmail account so I don't know if this is possible, it it seems like it would be possible for Google+ from briefly looking at it.
I deleted my other question about how FB can know that the image is not a fake. My finger hit the wrong button ;) I'll answer here. Your idea can be done, but I don't see the advantage it would have over other methods.
The service would need to send out the Cross Origin Resource Sharing headers in order for the image to be accessible via <canvas> and the service also needs a means for the querying server to test if a certain image is indeed the one associated with the user.
And if it was an image generated by Facebook, then Facebook must have access to the account beforehand, and there's no benefit to using this system over OAuth.
> The service would need to send out the Cross Origin Resource Sharing headers in order for the image to be accessible via <canvas> and the service also needs a means for the querying server to test if a certain image is indeed the one associated with the user.
Only facebook knows the image it generated. Since that image is only shared with that one mail address you won't be able to spoof it unless you control that mail address.
That's not a secure method. Because it's browser based it can be faked with a proxy or simply modifying the local hostname file and map the domain to a server you control.
When I tried the same thing, it popped up a OpenID dialog the first time, and I confirmed it by seeing facebook.com on https://accounts.google.com/b/0/IssuedAuthSubTokens Revoking the facebook token causes Facebook to prompt again.
Subsequent attempts make the auth dialog flash briefly without displaying any content and still present the "You can change your password immediately because you are logged into your email account on this browser" message.
That's pretty neat, I wish they'd publish on how they did this so others could use it. Sounds like another great way to remove friction for the user, always a great thing.
Well...except people generally only appreciate these features when they're allowed explicitly. It's kind of unsettling having a website spontaneously know your activity elsewhere on the browser. Even well-intended, it can come off as tracking data.
It is explicit, apparently FB is using OpenID which is information supplied by you linking the two accounts, completely opt-in. Besides, it's hardly tracking you with this feature, a boolean: is user logged in to Gmail? Yes|No
If yes, user can be verified quickly and reset their password in an easier fashion for them. Facebook is trying to make things smoother and not making you jump into your email to click a link or copy some token id or something. This is good UX.
It must be using oAuth. I think it was a mistake in the oAuth protocol to not build in a default, short, expiration for secret keys. Now users (most of them non-tech savvy) have to rely on visiting the apps page and manually removing authorizations.
Edit: I just profiled the process, and it is using OpenID. It pops open a new window that will check your OpenID login and call back with a success and will close the window if it is. I had to slow down my connection to actually see it.
I think they should have used that information differently. Given they know that you are already logged into your gmail, any visitor to your machine will therefore know how to reset the password to his advantage.
Instead, they should have make a block, so that you are forced to logout of your gmail and login to your gmail to enhance security.
What i am saying is that you are forced to re-login to prevent someone stealing your facebook account when he has access to your computer. given that most people stay logged into their gmail, i think this would actually be helpful
If you're logged into your e-mail, then someone can go to Facebook, and start password recovery, and then go to your e-mail and click the recovery link. If you're not logged in, then the OpenID authentication will require you to enter your e-mail. This isn't a weakness, just a convenience.
How is that not a weakness if anyone who has access to your computer can set an arbitrary password on your facebook account? (given you are logged into your gmail). I think it would be a nice feature if facebook would use that information to force a relogin
IMHO, this does not seem to be related to OAuth. OAuth is three-leg authentication, and the service provider - Google in this case - will prompt the user to allow the consumer - facebook in this case - to allow an authentication attempt. Except of course the user has done the authentication in a previous attempt and facebook cached the token, but based on facebook's wording, because you are logged into your email account on this browser, does not seem to support this.
Question...has anyone noticed if this relationship is reciprocal? I keep an eye on my Gmail ads to see how far along they track my activity while I am logged in and browsing, but has anyone noticed Gmail ads showing content that wouldn't be there without placement or data from Facebook? Obviously this doesn't apply if you sandbox Facebook as some commenters have, but if you use both in one browser I mean. I may use Firebug and see if the two communicate while I'm logged in...
The latest Chrome dev channel release includes multiple profiles, where you can have multiple browser windows each running in their own sandbox. Pretty neat.
It uses (by purpose) the same session though as the main Chrome instance.
But it should be possible to implement an option to use a separate session. This might even be much simpler than my current approach (which not only shares the session, it also uses the same Chrome process).
I like the idea, but I'm not sure if I can trust this level of sand-boxing. Does it also use a separate cache (web history, etags, image cache, web cache, etc)? a separate Flash storage? Silverlight storage? HTML5 storage? If any of them are shared, something along the lines of Evercookie would have no problem maintaining cookies across the apps.
Cache is completely separate, Flash and Silverlight (and plugins in general) aren't sandboxed, which is why I deactivated them for my Facebook Browser. (no more embedded youtube videos, but they open in my main browser, works just as well)
I don’t log into Facebook for any reason on my normal user account, and I don’t log into anything else on my Facebook account. They can still sniff certain things using browser fingerprinting and so on, but this seems like the best I can do for the moment on my desktop.