May 1, 2008

Facebook Applications Could Threaten User Security

Applications such as games and quizzes on the popular social networking site Facebook could potentially be used by Web criminals hoping to gain added information in an effort to steal users' identities.

Facebook, which began as a networking tool for college students, has now become an international networking site that allows friends to keep up with each other, share photos and also share games and quizzes, which are simple applications that can be submitted by virtually any user.

Anyone with a basic understanding of web programming can write an application.

Facebook insists that it keeps all personal information secure, but these applications could potentially pose a threat to that guarantee.

There are thousands of submitted applications floating around on Facebook, many of them become more widespread after one user invites his or her friends to use them too.

These applications are a primary reason that Facebook began to emerge as a popular networking tool.

However, investigators at BBC News exposed a crucial flaw that could potentially already be used by identity thieves.

In less than three hours, BBC's resident coder set up a simple application that appeared to users as a game called Miner, but after users agreed to use it, it would begin collecting all personal information listed on that user's Facebook page as well as all of their friends' information.

In order for applications to work, they must first have user consent to access the personal information on heir Facebook profile.

These applications run on third-party servers apart from Facebook. So, it is very hard for Facebook to check how long applications store data and what they do with it.

BBC News added that they were unaware of any application that currently exploited user information other than their test, but warned that it wasn't hard to pull off.

Paul Docherty, Technical Director of Portcullis Security, which advises several governments on IT security matters including British government, said "morally, Facebook has acted naively."

"Facebook needs to change its default settings and tighten up security," he added.

When BBC News confronted Facebook about the issue, the company said it has an investigations team that watches over the site. The team is set up in order to block and remove any applications that violate Facebook's terms of use.

It also advises users to use the same precautions while downloading software from Facebook applications that they use when downloading software on their desktop.

MySpace, Facebook's chief competitor, recently began using its application platform. However, it handles them differently - here all applications run on its own servers so it can see what they are up to.

BBC News reported being unable to create a similar application that would threaten user security on MySpace.


On the Net:

VIDEO: How the BBC exposed Facebook security flaw


Facebook Responds


BBC News