Peter Bright of Ars Technica points out in the comments on their story:
here's why this is particularly objectionable: Facebook bounces user links through a redirect to strip the user data out of URLs. Facebook already has the technology, understands it, and uses it elsewhere. But not for adverts. The failure to use the existing technology is peculiar.
The original article was sensationalist, and I think this was much more likely an oversight than something malicious, but still... oops.
The failure to use the existing technology is peculiar.
Only if you have never coded software professionally in your entire life. A junior engineer on team B did not use the library code written by team A several years ago, which is probably documented mostly as a matter of oral lore among members of team A. Instead, mistakenly believing the problem to be trivial ("I have the URL they're going to! All I need is to output it. Hah, psych, I'm going to run it through our HTML escaper to make sure there is no cross-site injection. Security++ I am the awesome."), they handwrote a one-liner which worked fine. Two years later it is the subject of a WSJ article.
This only happens every single freaking day on every project I've ever been on. Heck, I have missed opportunities for re-use (and caused subtle side-effects through doing so) frequently when I was the only coder on the project.
Amusingly, an alleged employee of Facebook here challenged me to find a single example of Facebook selling private information, and this seems to be the clearest example so far.
My challenge stands. There is no indication that Facebook made a cent off of this bug, nor that any advertiser was aware of the fact that a small percentage of ad clicks contained a user id.
"Alleged" employee? My name is Keith Adams, and here's an entry I posted to the Facebook engineering blog this week:
Your challenge does not stand. It gets weaker every day.
There is a reason why Facebook is more appealing than other advertising venues. They offer more personal information. Facebook is smart enough to use a redirect cloaker for other content, why didn't they do it for ads? The reason is quite clear to me.
And yes alleged. Your comments and profile offered no proof of your employment so I was careful to represent that in my statement. Do you find anything wrong with that?
here's why this is particularly objectionable: Facebook bounces user links through a redirect to strip the user data out of URLs. Facebook already has the technology, understands it, and uses it elsewhere. But not for adverts. The failure to use the existing technology is peculiar.
The original article was sensationalist, and I think this was much more likely an oversight than something malicious, but still... oops.