Facebook's widget security? You could throw a sheep through it

Linking up social websites, as proponents of "data portability" would have us do, can be hazardous to your privacy. And Paris Hilton's, and Lindsay Lohan's. But even the widgets on a single social network can leave us exposed. SuperPoke, a popular application made by Slide, will show you who's thrown a sheep at anyone, as long as you have their Facebook ID — the unique numeric identifier which shows up in the URL of their Facebook profile. Mark Zuckerberg's SuperPoke feed is here; substitute the number of another Facebook user for Zuckerberg's "4", and you can see every last sheep he or she has been involved with.

Facebook's widget security? You could throw a sheep through it


Byron Ng, the inquisitive Canadian computer technician who found a hole in MySpace's linkup with Yahoo, tipped me off to this trick, which works with a wide range of widgets, he says, whether or not you're friends with a given user. (SuperPoke has a private-actions option, but it's hard to find and few people seem to use it.)

Is it scandalous to learn that, say, Slide CEO Max Levchin has "bitten" Facebook CEO Mark Zuckerberg? Not especially (though Levchin went through a rather disturbing biting phase last month). What it tells us, really, is just how unseriously people take the widgets on Facebook. That these applications have remained wide open just goes to show that they don't do anything worth hiding. And where's the fun in that?