Facebook: and so it begins...

I just came across this security advisory via The Register. A malicious Facebook application is using social engineering techniques to persuade people to install spyware/adware on their machines:

What happened is reasonably straightforward, sadly. The tremendous success and lightning fast expansion of Facebook (which, albeit resorting to debatable strategies as noted in a previous roundup, is undeniable) empowered the social networking giant with an impressive user base. Needless to say, in a digital world where web traffic equals money, such a user base attracts spammers, virus/spyware seeders, and other ethic-less online marketers like honey would attract flies.

I'm absolutely certain that this is just the first swell of an approaching tidal wave of Facebook malware. It isn't even a particularly clever example - it would be far more effective to use a Facebook application to harvest personal information whilst apparently offering a useful service, and then use the data elsewhere and/or at some time after the application harvested it. That would make it far more difficult for people to draw the connection between the harvesting app and the subsequent misuse of their personal data.

Currently there are more than 12,000 Facebook applications registered in Facebook. All you need to add an application to Facebook is an API key, and you can get one of those in seconds from the Facebook site, with no checking whatsoever by Facebook. The only mechanism Facebook seems to provide to 'protect' its users from malicious applications is a requirement that developers click on a checkbox to agree to Facebook's Developer Terms of Service. There's no vetting of the person applying for the API key, or of any applications they write.

After my previous experience of fighting with Facebook to get my account closed I'm not in the least bit surprised at their cavalier attitude to Facebook application security. I'm also doubtful that they have the resources necessary to vet 12,000+ applications even if they wanted to, and even if they did there's nothing to stop someone registering a benign version of the application and then activating the malign part after the application has been accepted.

I wonder if there's a need for an application that shows people just how much information they are agreeing to hand over when they install a Facebook application?

Tags : , ,
Categories : Web, Tech