Tag Archives: web

Facebook Security

Despite my better judgment, I’m still using Facebook. All of my friends and acquaintances use it, increasingly as an IM application, and not just for posting inane status updates. Indeed Adium, my IM client of choice, now supports Facebook chat, so I’m spending more time rather than less.

That being said, the thing I really don’t like about Facebook is the crappy applications and quizzes that people seem to expect you to join in with. I don’t care that you’ve thrown a sheep at me, or the Spice Girl you’re most like is ‘Baby Spice’… But more worrying is that these apps are quite often vectors for spam and people are entirely oblivious.

The security lab at Cambridge wrote a good article highlighting how bad this is, clearly spending a lot more time than my totally unscientific analysis of asking a few people I know, and experience of using the site. They noted that it’s relatively easy for an app to get published on the Facebook platform that can steal the user’s Facebook session, then use this to query Facebook’s servers impersonating the user and mine all of their personal data and that of their friends.

Facebook don’t allow you to do this under their terms of use, but obviously there are so many apps being published that some slip through the net. More than this, they’re not inclined to check particularly actively as long as users don’t shout too much – these apps have nicely targeted ads which make them and Facebook money. But of course the ads are targeted – the app stole all your data, so you can be pretty sure they can pick an accurate ad. None of this is new news, there have been a variety of reports in the technology and mainstream press highlighting how identity theft and other privacy concerns abound on Facebook.

The thing that never ceases to amaze me, however, is the fact that users continue to complete these inane quizzes, download free apps that allow them to throw sheep at their friends and don’t stop to wonder why anyone would go to the trouble of building these apps for free. It’s all well and good that Facebook asked me my date of birth when logging in from an ‘unusual location’ (I was travelling for work), but this is of little security benefit when it’s trivial to steal this information during my use of the site from the safety of my own house.

I’m unlikely to stop using Facebook given the amount of friends and work colleagues who use it, but please don’t be offended if I ignore your request for a pillow fight, zombie chase, gang war, or the chance to find out which South Park character you are.