Alum Finds Facebook Bug

Under certain conditions, the personal information of users on thefacebook.com may be accessible to anyone on the Internet, according to Aaron J. Greenspan ‘04-’05 the president and CEO of the Boston-based software publisher Think Computer Corporation.

But thefacebook.com founder Mark E. Zuckerberg ’06-’07 said yesterday that the problem had been fixed.

Greenspan said that a feature on the thefacebook.com that allows users to export their lists of virtual “friends” had been programmed to store the information as a file on the website’s servers, making it potentially accessible to the prying eyes of strangers.

Ordinarily, information in facebook profiles is accessible only to the set of people that a user designates in his or her privacy settings.

The exported files contain personal information from the profiles of the students documented in them, such as names, e-mail addresses, and phone numbers.

“The problem is that since this is a text file, it doesn’t have any built-in security or authentication,” Greenspan said. “As long as someone knows the name of the file, they can access it.”

Greenspan said he was able to quickly write a program that automatically sought out these files and use it to download the contact information of several thousand Harvard students.

Greenspan said he contacted Zuckerberg, whom he knows personally, to let him know about the problem on March 20.

“The way they went about [addressing the issue] still doesn’t really solve the problem,” Greenspan said. He said the website’s staff had set the files containing the personal information to be deleted at regular intervals, but the files would still have potentially been at risk for a limited window of time.

“They’ve actually put in more security features now,” he said, but maintained that personal information could still potentially be accessed by anyone with an Internet connection.

But Zuckerberg said all the security issues that Greenspan raised have already been resolved.

“It was a bug. It’s fixed,” he said.

Zuckerberg said that even when the files were hypothetically accessible, the security risk was minimal.

“If someone was trying to get someone else’s contact information, they would have to first get their user ID out of over two million users, they’d have to identify which of 50 servers the file was on, which there would be no way for them to know, and then even if they got that, then they’d only have a few minutes before the server cleaned itself and purged the file,” Zuckerberg said.

According to Greenspan, the exporting feature could have been programmed in such a way that the sensitive files would not have been deposited on a server at all.

“It takes a little bit more work to make that actually happen,” he said. “But it’s worth doing.”

But Zuckerberg said none of the issues with the website constituted “that big of a threat.”

Greenspan said he was still able to exploit the flaw as of March 28. “I haven’t looked at it lately,” he said.

“I can see how they’re trying to make it more difficult to find the files, but the fact is...I just was able to still see the information without logging on,” Greenspan said, as he experimented with the glitch during an interview with The Crimson.

—Staff writer Matthew S. Lebowitz can be reached at mslebow@fas.harvard.edu.