Having spent the past few days trawling through Bebo’s source code trying to create a Firefox extension for the site (not helped by the lack of an API or the backwards table based site design :rolls eyes:), I noticed something very unusual: Bebo letting my personal information visible to all! Even after me telling it not too! Why? Money I suppose…
So lets pretend I’m 13 (the lowest age you can join Bebo) for a second. Bebo won’t let me display my age on my Bebo Profile (which I can display publicly to anyone [although I'm warned not to unless I'm over 21. Come on Bebo like kids these days are actually stopped by that!]). Which is good because if I’m 13 and my profile is public, anyone weirdo could contact me and you know how the story goes.
Come out of my fictitious story now and cut to me today trying to make my extension stop Bebo FlashBox’s from automatically playing when the page is loaded. Youtube videos are great as they wait to be click to start playing but VideoEgg videos have the option to autoplay which can be really annoying as certain users like to play some em… dodgy… music. It is this auto play variable that I was searching for and trying to tame but I found more than I expected.
The line of code in question is:
var origtitle=document.title; document.title=escape(document.title); var VE_api = VE_getPlayerAPI('1.2');var myMoviePath = '/gid329/cid1124/4S/G3/1177411571YvJRDMJCSa1cBF45TaJh';VE_api.embedPlayer(myMoviePath,355,298,false,'','FFFFFF',true,'site=bebo&area=userhomepages&vl=IE&va=17&vg=M&pa=18&pg=F&channel=Humor','');document.title=origtitle;
This line firstly requests the video:
var myMoviePath = ‘/gid329/cid1124/4S/G3/1177411571YvJRDMJCSa1cBF45TaJh’;
Then the Width and Height that the video should be:
355,298,
and whether it should AutoPlay:
false,
This is the good bit. The site its displaying on so it can place a watermark on the video (i.e a Bebo logo) logo and what part of the site its on (i.e a user homepage):
site=bebo&area=userhomepages
But it also includes what seemed like some random letters at first. Turns out they aren’t so random.
vl=IE&va=17&vg=M&pa=18&pg=F
vl stands for viewer’s location, Ireland here.
va, viewer’s age.
vg, viewer’s gender.
pa, player’s age and pg, player’s gender.
Why would a video player need all those details!? For advertising and statistics! Basically money. There is really no need for this and it appears to be only for VideoEgg videos.
Funny thing is that even if you set your age to hidden which anyone, of any age, can do, it still shows here right in the source code! Not really hidden is it? Also remember the madeup 13 year old at the beginning of this blog post? Yes you guessed it! Anyone can see his age even though he doesn’t have the option to display it on his profile himself!
So lets call on Bebo to remove this blatant invasion of privacy, at least to protect those who don’t (or can’t) display their ages on their profiles!
Update: I have now contacted Bebo on this mattter and I am awaiting a response.
“Hello Bebo. I would like to draw your attention to a privacy flaw on your website. You can read about it here http://alanrice.wordpress.com/2007/07/16/obviously-bebo-doesnt-respect-my-privacy-at-least-not-when-money-is-involved/
Basically you are letting personal information slip to VideoEgg about the viewer and the player of the video, which is ok as its not identifiable info but anyonce can look at the source code and use it to find out if a person is under 16 (as these users are not allowed to show their age on their profile).
I would consider this a major flaw as theu reason for hiding a minor’s age is for their own protection yet you display it freely in the source code for all to see!
Please remove this code from your site or at least protect those who have their ages hidden or are under 16.
Regards,
Alan.“
Update: Bebo has replied to me saying:
“Hi
Many thanks for taking the time to let us know. I appreciate it. We take our member’s privacy very seriously and I have now forwarded this to our technical team for them to look into.
Please contact me again if I can be of further assistance.
Kindest Regards
Lupita”
Hopefully the matter will be sorted soon.
4 Comments
I doubt they have even bothered to do anything about it. Its a joke to be honest.
Drop by http://www.tigerplug.com I have a few posts there regarding bebo.
Cool blog by the way.
Hey, good post. I’m an engineer at Bebo… we do take stuff like this seriously here so I’ll make sure that we get back to you soon.
To be honest, it’s not like we’re actively flaunting user’s private data, it looks like you went through a lot of trouble and found a flaw in our system, which we will most likely fix in the very near future. So thanks for the info, but the title of your post is a little dramatic if you ask me. Anyway, I know that dramatic posts are more likely to get read (and get the attention of people like me) so maybe it was worth it in the end.
Also you’ll be happy to know that we have disabled autoplay for all videos now (except for ones on sponsored pages). So no more “dodgy” music assaulting your poor ears…
Hi Jordy, Thanks very much for a response. Ok, I admit the title is dramatic but it got your attention and that was what i was trying to do.
That’s great about the autoplay being turned off; come on you have to admit it’s annoying!?
I’d like 2 have the option 2 have autoplay – why should 1 user dictate to every1 else thier opinion off what dodgey music is…. We all should be given the autoplay choice on videos or maube even a song that we would like to be played when your page is opened..
The really annoying part is that you have to open new tabs and log in twice if you want to update your page, but listen to a playlist or video at the same time.. Plz could you work on doing something bout that.. Bebo is good; but it’d be far better with these features……