If you’re on Facebook and acting sensibly you’ll already have told the social networking site to hide your date of birth, so other Facebook users cannot view it. It’s a sensible thing to do, because your date of birth is one of those nuggets of information which can be invaluable to an identity thief.
You shouldn’t even show your date of birth on Facebook to your online ‘friends’. After all, if they’re your friends they should know when your birthday is anyway, right?
However, what I’m going to suggest you do now is go into your Facebook account and change your date of birth entirely, even if it has already been set to be hidden from view. So, if you were born on 23 November 1963 make it something like 20 July 1969 instead.
The reason why I’m telling you this is because last night I found a flaw on Facebook which allowed me to view other people’s full dates of birth. Their dates of birth were exposed even if they had set them to be invisible or had told Facebook to hide the year.
Here is a video I have posted on the SophosLabs YouTube channel, demonstrating just how easy it was to view people’s dates of birth:[youtube=http://www.youtube.com/watch?v=jUY2UdSfL7s&rel=0&w=500&h=311]
People’s birthdays were exposed on the new design that Facebook is trialling for its personal user profile pages, which can be currently accessed via www.new.facebook.com. According to the Facebook developer’s blog, Facebook will start rolling out the new profile page design to users this week. I’ve told Facebook about the flaw, and it appears for now that they have fixed the problem – but who knows if it will resurface again in the future.
Facebook only asks you your age to ‘check’ that you’re an adult. You shouldn’t feel compelled to enter your real date of birth when a website asks you – choose a random date like I suggest above.
There is one little problem with telling Facebook a false birth date, however, that I feel compelled to point out. And that is that their Terms & Conditions do not allow you to do so.
Their T&Cs, last updated 7 June 2008, clearly state that:
"...In consideration of your use of the Site, you agree to (a) provide accurate, current and complete information about you as may be prompted by any registration forms on the Site ("Registration Data"); (b) maintain the security of your password and identification; (c) maintain and promptly update the Registration Data, and any other information you provide to Company, to keep it accurate, current and complete; and (d) be fully responsible for all use of your account and for any actions that take place using your account..."
So, the facts of the matter are that Facebook requires you to provide your real birth date, but then failed to properly protect it. With Facebook’s terms & conditions as they are at the moment, you need to decide whether you are prepared to deliberately violate them, or stop using the social networking website entirely.
Which will you choose?
If you want to learn more about Facebook security threats, join the Sophos page on Facebook.