[mvandemar]

Firesheep, which allows people worldwide to steal other people's Facebook passwords over public wifi, comes out in October and they still don't redirect to https login by default. Zukerburg's fan page gets hacked with a message pertaining to Facebook's investors and they close the loophole that allowed it to happen in 1 day. Of course.

[tptacek]

It's not a "loophole"; it's a critical vulnerability in their API server. It doesn't just affect Zuckerberg.

[kirbman89]

I think the point is that FB did nothing until it hit close to home and was embarrassing to their brand.

[citricsquid]

The https rollout you're referring to had nothing to do with the Zuckerberg hack, there were people testing it before the incident. It's a coincidence and has nothing to do with what happened with Zuckerberg's fan page, do you really think he went to coffee shop and logged into his fan page???

[lukeschlather]

Fan pages don't work like that, at least not for normal users. Unless they have some special authentication system set up for Zuck's personal page, someone gaining access to his Facebook account should gain access to his fan page.

Or if his personal account is not an admin on the page, but again I find that unlikely.

Still, I believe them when they say it was an API bug. I don't see why they would lie and claim it was something else on the day they roll out a fix for the problem.

[burgerbrain]

Firesheep doesn't steal passwords, it grabs cookies used for authentication. The distinction is important because with firesheep, simply putting your login page on https isn't sufficient.

Stealing passwords is of course also trivial, but to do that you need to force a situation where the user has to actually log in again (see Moxie Marlinspike's sslstrip..., which will nail the majority of people even if the site normally does use https for everything. Really bloody effective.)