When streaming video site Hulu announced it was adding a new, first-of-its-kind feature (one that will become a staple going forward), it was not talking about giving its users the ability to access random strangers’ accounts instead of their own.
Yet, that’s exactly what happened when people tried to link their Hulu accounts with their Facebook profile via Facebook Connect. Connect is a service that lets Facebook users log into third-party services using their Facebook account information.
Hulu said shortly after launching its Facebook Connect feature Friday that it noticed a small number of users were seeing someone else’s account information upon logging in to the site. That means they saw someone else’s queue (playlist) of videos, subscriptions and friends. The company confirmed that 50 of its users were affected by this flaw, which could have exposed their profile data. Highly sensitive information such as account passwords or credit card numbers were not compromised as a result of the bug, the company said.
But the company’s statement conflicts with the experience documented by Audio Video Revolution’s Mike Flacy, who gained access to Hulu employee Thomas Moore’s account due to the privacy flaw.
After logging in to Moore’s account, Flacy writes:
…I was able to access his [Moore’s] street address, financial information (last 4 digits of his CC with expiration date), device management, email address and password. I know that Thomas has just finished watching episodes of Modern Family, Suits, Burn Notice and The Guild. If I was a jerk, I could cancel his Hulu Plus account, turn off all his devices and change his email / password. If I was a devious thief, I could slip my device onto his account and get some free Hulu Plus until he noticed. Thank goodness for Thomas, I’m not.
As further proof of his experience, Flacy provided several screenshots of the privacy flaw in action within his post.
“We’re still drilling down on the precise nature of the issue, but we know that it was a coding and configuration error on Hulu’s side, and not the result of hacking, or other third-party actions, or a vulnerability in Facebook Connect,” wrote Hulu’s Vice President of Platform Technology Richard Tom on the company’s blog.
Tom said the company is being extra cautious going forward. All the integration of Facebook Connect on Hulu has been disabled, and all users are required to login directly to the site using their Hulu account information instead of a Facebook ID. Also, all privacy settings have been set to the maximum restrictive level by default for anyone who logged into a Hulu account using Facebook.
“Once we are certain that the issue has been fully addressed, we will re-launch our Facebook Connect program,” Tom said. “We apologize to any affected users, and we intend to do everything we can to make it right and avoid similar issues in the future.”
It’s a shame that Hulu ran into such a huge security compromising bug, because at least one of the new features enabled through Facebook Connect was exactly as the company described it: “first-of-its-kind…”
The feature allows Hulu users to comment on a specific moment within a video. Both the comment and the relevant portion of the video can be shared on your Facebook profile by clicking a button on the video player’s page. Other video services like Vimeo and YouTube have similar commenting features, but neither has done it quite like Hulu does with its social integration.
Hulu said it won’t roll out Facebook Connect integration to the site again until the company can ensure that breaches of privacy won’t occur in the future. But since that could take a while, I’ve embedded a screenshot of the new commenting feature below.