20 October 2010

Beware of Third Party Facebook Application Security Risks

You’ve seen it all over the place…  Privacy Concerns, Security Issues, Identity Stolen, Dangers of Social Networking, Social Media Threats, Personal Information Sold.  All too often Facebook is the culprit; notorious for breaching the confidences of the hundreds of millions of users who have profiles on the ever-popular Social Networking site.  The Wall Street Journal reported yesterday that their own investigations into Facebook uncovered that many of the more popular third party applications being used on Facebook have been providing access of personal information to dozens of advertising companies.

Unfortunately, no one knows for sure how long the breach has been in place and who exactly has been effected by it. But it is clear that this problem has been occurring for quite some time. In fact, I wrote about this very topic earlier this year in my article Facebook Privacy Concerns Continue. And if you go to Google and type in “Facebook Security Issues” more than 72 Million pages of information is populated.

Facebook and other sites on the Internet currently track their users’ online activities and patterns.  They are supposed to be tracking this information anonymously, but instead Facebook has created an exclusive User ID number that is uniquely tied to the profile of each individual user.   As a result, some of the most popular third party applications being used on Facebook have been transmitting identifying information, essentially the user’s name and in some cases the user’s friend’s names to third party Internet Tracking and Advertising companies.  This issue is said to affect tens of millions of profile users on Facebook, including those users who have opted to use the strictest of privacy settings.  In that case only the name of the user was given but if a user did not use the highest level of security, the Facebook ID can also give any information that is set to “everyone” including age, where the user lives, occupation and any posted pictures.

The Journal reports that news of the breach came just after the company announced it had created a control panel that lets users see which apps are accessing which categories of information about them.  According to the Journal the problem has ties to the fact that many companies build detailed databases on people in order to track their online patterns.  It is this practice that has lead to the Journal and others to examine this issue further.  Facebook made an announcement on Sunday, October 17, that they would work to “dramatically limit” potential exposure of personal information to outside sources.  An unnamed spokesperson was quoted as saying:

A Facebook User ID may be inadvertently shared by a user’s Internet browser or by an application,” the spokesman said. Knowledge of an ID “does not permit access to anyone’s private information on Facebook.”

Although Facebook prohibits application makers from transmitting user data to outside advertising and data companies, The Journal reported that all of the 10 most popular apps on Facebook were transmitting users’ IDs to “at least” 25 outside data companies.  The application culprits include Zynga Game Network Inc., FarmVille, with 59.4 Million Users, Texas HoldEm Poker with 36.3 Million Users, Frontierville with 30.6 Million Users, Cafe World with 21.9 Million Users, Mafia Wars with 21.9 Million Users and Treasure Isle with 15.3 Million Users.    The other Apps known to be transmitting user data are Phrases with 43.4 Million Users, Causes with 26.7 Million Users, Quiz Planet with 16.5 Million Users,  and IHeart with 14 Million Users.  Currently there are more than 550,000 third party applications available for use on the site, most of which are the work created by independent software companies and are not created by Facebook itself.

It’s not clear if developers of many of the apps transmitting Facebook ID numbers even knew that their apps were doing so. The apps were using a common Web standard, known as a “referrer,” which passes on the address of the last page viewed when a user clicks on a link. On Facebook and other social-networking sites, referrers can expose a user’s identity.

The company says it has disabled thousands of applications at times for violating its policies. It’s unclear how many, if any, of those cases involved passing user information to marketing companies.

I am sure it is not sheer coincidence that this information comes out right on the cusp of the new movie “The Social Network” which was released earlier this month.  Or perhaps the movie came out as a result of all of the issues with Facebook security.  Either way, I find it ironic that during the creation of Facebook, (which was launched on October 23, 2003 from a Harvard dorm room) Zuckerberg was charged by the school administration with breach of security, violating copyrights, and violating individual privacy because he hacked into the protected areas of Harvard’s computer network in order to access and copy the houses’ private dormitory ID images.

The issues seem to be never ending and unless they make some drastic changes, the outcome could eventually be quite grim.  Could this be the beginning of the end for Facebook?

The above article was originally published at: http://ipwatchdog.com/2010/10/19/beware-of-third-party-facebook-application-security-risks/id=12861/