X

For Hulu, Facebook Connect becomes a security headache

Video-streaming site pulls the plug on plan to allow Facebook users to log in, after programmer's error exposes personal information.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
See full bio
Declan McCullagh
2 min read

Hulu acknowledged this afternoon that an attempt to integrate itself with Facebook didn't go exactly as planned.

Far from aiding the "entire social experience," which the video streaming service had promised in its announcement earlier in the day, the attempted integration allowed some Hulu users to access other users' accounts.

How Hulu's implementation of Facebook Connect was supposed to work.
How Hulu's implementation of Facebook Connect was supposed to work.

In a followup blog post this afternoon, Hulu Vice President Richard Tom said the security breach was the result of a programming error, not malicious activity, and did not expose passwords or credit card numbers.

"When we launched our Facebook Connect feature early this morning, we discovered that a small number of users weren't seeing their own Hulu account information upon log-in," Tom wrote. Hulu is still investigating what went wrong and has pulled the plug on Facebook Connect in the interim, he added.

The trade Web site Audio Video Revolution reported that the security breach exposed details about Hulu employees:

This time, it logged me in to the account of a Hulu.com employee, Thomas Moore. Thomas is also a former employee of Facebook according to his Facebook page as well as LinkedIn.

After the click, I was able to access his street address, financial information (last 4 digits of his CC with expiration date), device management, e-mail address and password. I know that Thomas has just finished watching episodes of Modern Family, Suits, Burn Notice, and The Guild. If I was a jerk, I could cancel his Hulu Plus account, turn off all his devices and change his e-mail/password. If I was a devious thief, I could slip my device onto his account and get some free Hulu Plus until he noticed. Thank goodness for Thomas, I'm not.

Facebook Connect is a set of programming interfaces that allows users of the social-networking site to use their accounts to log in to other Web sites. In this case, Hulu had hoped that Facebook Connect would encourage more interaction and allow video sharing among its users, including being able to freeze a moment in a film or TV show and then send around the corresponding link.

Today's breach comes amid reports in the last week that Hulu is meeting potential suitors as part of a possible acquisition (it's owned by ABC, Fox, and NBC Universal). The rumors have also led to speculation that one of Hulu's studio backers is intentionally leaking reports to the media to drive up the sale price.

Google is among a list of potential buyers that also includes Microsoft and Yahoo, according to a report today in The Los Angeles Times.