The ability to do a kind of advanced search on Facebook could have revealed information from private profiles, to really anyone who knew how to look for it -
Facebook closed off a hole in its search functionality, and gave its users a greater level of privacy control of their profiles.
Chris Soghoian blogged about how Facebook search could be a privacy concern, especially in relation to European privacy laws.
"The Europeans do care about privacy. Sexuality and Religion are bits of information that they consider to be highly sensitive.. and thus, my little go fish attack is now suddenly a lot more important than it was before," Soghoian wrote.
"While Facebook does allow users to control their profile's existence in search queries, this second preference is not automatically set when a user makes their profile private - and thus many users do not know to do so," he wrote.
Doing an advanced query for a Facebook user's name and any profile attribute associated with it would retrieve a matching result if it exists. Soghoian demonstrated the proof of concept by creating a profile for himself and searching for its attributes.
A Facebook representative responded on Soghoian's blog, and said Facebook has fixed the problem.
Brandee Barker, director of corporate communications at Facebook, commented that information marked as private by a user will not return a result for an advanced search query.
Fake Microsoft Patch Delivers Trojans Instead: A bogus email being circulated around the net claims to fix a zero-day vulnerability in Microsoft Outlook.
However, security firm Sophos warns that the the only security threat comes from the offer of the patch itself:
Users are encouraged by the email to download a patch which, it is claimed, will fix the problem and prevent them from becoming attacked by hackers.
However, clicking on the link contained inside the email does not take computer users to Microsoft's website but one of many compromised websites hosting a Trojan horse.
In examples seen by Sophos experts, the emails have contained the recipient's full name, and the company they work for, in an attempt to lull user's into a false sense of security.The emails, which have the subject line "Microsoft Security Bulletin MS07-0065," also arrive with a person's real name and the name of their employer. As with similar attacks like this one that pretend to be from Microsoft, this email should be deleted immediately.
About the Author:
David Utter is a business and technology writer for SecurityProNews and WebProNews. www.securitypronews.com