DNS - Facebook Beefs Up Security After Privacy Concerns Surface

Facebook (News - Alert) is introducing plans to encrypt user IDs and has come up with other safety precautions after press reports surfaced about privacy concerns on the popular social media service.

In a recent Facebook Developer blog post, developer Mike Vernal said Facebook has been investigating a technical solution to the issue of sharing Facebook User IDs (UIDs).

“While initial press reports greatly exaggerated the implications of sharing a UID, we take this issue seriously. Our policy is already very clear that UIDs may not be shared with ad networks and data brokers, but we recognize that some developers were inadvertently sharing this information via the HTTP Referrer header,” the blog post said.

Facebook explains that when a browser loads images or other resources on a Web page, it will sometimes send an HTTP header that identifies the URL of the Web page containing the resource.

For one type of application written on Facebook Platform (iframe-based canvas applications), after a user has authorized the application, the URL of the iframe may contain the UID of the user, according to the blog post.

This UID is included in order to enable the application to build a personalized experience for the user.

In the last few days since this issue was reported, some of Facebook’s developers started using techniques like redirects or “double framing” to remove UIDs from the URL.

While applications are able to address this issue on their own, Facebook said it wanted to find a solution that would address this issue for all applications on Facebook Platform.

To address this inadvertent sharing of UIDs, Facebook plans to start encrypting the parameters that it passes to iframe-based applications.

“We will start encrypting this parameter as well, using the application’s secret key, so that only the application will be able to read this information. This will prevent the accidental disclosure of this information via HTTP headers,” according to the Facebook blog post.

“Our plan is to enable parameter encryption as an option over the next few weeks and to then work with the community to add support for this option to the various Facebook SDKs. Once the design is finalized, we will work with our developers to ensure a speedy transition to encrypted parameters,” the blog post added.

This proposal will address the inadvertent sharing of this information on Facebook, the underlying issue of data sharing via HTTP headers is a Web-wide problem. Facebook said it looks forward to working with the Web standards community and browser vendors over the coming months to help address this issue.

In a recent blog post, Facebook also announced new features to help make the experience on Facebook more secure.

Facebook launched one-time passwords to make it safer to use public computers in places like hotels, cafes or airports. If users have any concerns about security of the computer they are using while accessing Facebook, the company can text them a one-time password to use instead of the regular password. 

Simply text "otp" to 32665 on your mobile phone (U.S. only), and users will immediately receive a password that can be used only once and expires in 20 minutes.

In order to access this feature, users will need a mobile phone number in their account.

They are rolling this out gradually, and it should be available to everyone in the coming weeks.

Second, the ability to sign out of Facebook remotely is now available to everyone. These session controls can be useful if you log into Facebook from a friend's phone or computer and then forget to sign out. From your Account Settings, you can check if you're still logged in on other devices and remotely log out.

Under the Account Security section of your Account Settings page you'll see all of your active sessions, along with information about each session. In the unlikely event that someone accesses your account without your permission, you can also shut down the unauthorized login before resetting your password and taking other steps to secure your account and computer.

Lastly, when people log in to Facebook, it will regularly prompt them to keep their security information updated.