Wednesday, June 30, 2010

White Hat Uses Foursquare Privacy Hole to Capture 875K Check-Ins

Via -

If you have checked in with Foursquare in San Francisco in the last three weeks, Jesper Andersen probably knows where and when — even if you’ve set your check-ins to be published to friends only.

Andersen, a coder who recently built a service called Avoidr that helps you avoid social network “friends” you don’t really like, figured out that Foursquare had a privacy leak because of how it published user check-ins on web pages for each location.

On pages like the one for
San Francisco’s Ferry Building, Foursquare shows a random grid of 50 pictures of users who most-recently checked in at that location — no matter what their privacy settings. When a new check-in occurs, the site includes that person’s photo somewhere in the grid. So Andersen built a custom scraper that loaded the Foursquare web page for each location in San Francisco, looked for the differences and logged the changes.

Even though he was using an old computer running through the slow but anonymous Tor network, Andersen estimates he logged about 70 percent of all check-ins in San Francisco over the last three weeks.

That amounts to 875,000 check-ins.


Andersen reported the privacy breach to Foursquare two Sundays ago — and the company admitted the bug existed. They asked for a week or so to fix the bug, and now, according to an e-mail sent to Alexander, the company is modifying its privacy settings to let users opt out of being listed on location’s web pages. The site previously allowed users to opt out of being listed in the “Who’s here now” function, but until Tuesday that button didn’t apply to listing “Who’s checked in there.”

“I’m trying to be white-hat,” Andersen said. “It definitely felt icky at times.”

Andersen confirmed the validity of his script’s findings by checking the results with people he knew. And even though his groups of friends “live in a data mining culture,” the findings didn’t sit well with all of them.

“Some were grossed out by it, and a couple of people stopped using Foursquare,” Andersen said. “One had a stalker and got creeped out by it.”

Foursquare declined to respond to two e-mail requests for comment, but in an e-mail to Andersen, Foursquare programmer Jon Hoffman thanked Alexander for bringing the issue to the company’s attention.


Privacy settings are great..and people really should set them to as private as possible (while keeping the service useable for your needs), but in the really shoudn't trust those settings to keep your data completely private.

There is always a risk that the information will be exposed. It's best to be aware of this residual risk...and either accept it...or not.

No comments:

Post a Comment