Facebook is Not Having a Good Month
While Facebook has been busy working on its new constitution in an effort to appease its increasingly anxious community over the past few days, the second application of dubious intent made its way onto the troubled site in the space of a week. The bad guys, it seems, have perfect timing.
Trend Micro reported Thursday that a rogue Facebook application had been posting false notifications to user profiles, telling them they have violated Facebook's Terms of Service and directing them to a malicious site for more information.
The alert read: "[Friend's name] has just reported you to Facebook for violating our Terms of Service. This is your official warning! Click here to find out why you were reported! Request Facebook look at what has happened and rule immediately."
Users who followed the link were directed to another application which, when installed would proceed to spam the affected user's friends with the same notice, all the while gathering personal information.
This was the second scam for Facebook this week, following the 'Error Check System' app that sent notifications to users informing them that friends had encountered errors when trying to access their profile and providing a malicious link to view the error message.
While the Trend Micro report advised users to "exercise extreme caution when surfing," and that Facebook review its application hosting policy, Graham Cluley points to the real culprit: Facebook itself.
"Third-party applications are not vetted before they are made available to the public. So, even as Facebook stamps out one malignant application, it can pop up in another place like a poisoned mushroom with a different name."
Although we're excited about the prospect of increased openness at Facebook, and impressed by the speed with which Mark Zuckerberg promised to bring democracy to Facebook after last week's user revolt, we can only hope that the giant Facebook gives some serious attention to the way it accepts third party apps - and soon. Having a bad month is one thing; having a bad year is quite another.
Image credit: Trend Micro
ShareRelated Entries
2 TrackBacks
TrackBack URL for this entry: http://www.readwriteweb.com/cgi-bin/mt/mt-tb.cgi/10466
Facebook
Comments
Subscribe to comments for this post OR Subscribe to comments for all ReadWriteWeb posts
I agree that Facebook are not having a good month, I doubt that this will be the last time something malicious will circulate using this method. An Application on Facebook has to be trusted right?!
What you have to ask is what next? Facebook Connect has the potential to be exploited, logging in via a third party website which could potentially phish their login to circulate messages to all their friends.
The bigger they come the harder they fall...
My neice's account got phished overnight. I'm invited to accept a TOS agreement then key in my cellphone number.
Does anyone in product management even look at what these 'enhacements' do to the community, brand, hockeystick, forward trajectory of the nest egg?
I think FB has already jumped the shark. Something better this way comes. Craigsbook? Twitbook?
Seems Facebook already had a system in place for this. I thought an app had to earn trust to gain more notifications to be sent per day. I wonder how they got around that or if it kicked in just a little too late.
Facebook is so over with:
http://www.youtube.com/watch?v=MpraJYnbVtE
Twitter being its obvious usurper.
Even the reporters for the local TV news, here in no-wheres-ville Texas, are using Twitter and dumped Facebook.
Hey great read here. There were warnings even a year ago that many of the apps on Facebook can be dangerous. I don't get why people trust without doing research. It is easy to find information that will tell you that these apps are NOT designed by Facebook and that anyone can create them. That should be a warning right there. Facebook completely washes its hands of the apps. You are on your own. Beware
This whole thing is stupid, what do they virus makers really achieve?
I think FB has already jumped the shark. Something better this way comes. Craigsbook? Twitbook?
AS Kathleen commented...buyer beware! Just as good, professional people are on the major players' gathering sites...so are the cons! The war of the software engineers vs the internet invaders continues.
FB is becoming like an open computing platform and open marketplace for 3rd party software. It's similar to eBay, Amazon - even Windows in this way. People will continue to exploit security holes whenever you have an opportunity to affect lots of users. This is just the beginning - tip of the iceberg
FB needs to follow the lead of other companies that struggled with security such as Microsoft.
One way to help resolve this issue is to use the concept of trust with digital certification or have a program for legit appmakers to get "certified" as a genuine FB trusted app. Another way would be to provide more stop signs before instaling an application and provide more info about the application vendor (similar to the way Amazon or eBay rates sellers) It is so easy to get tricked into installing an app.
They may also consider restricting access to personal information only for certified apps.
Another possible idea is to have the user explicitly select what info the app the access.
The sad reality is that whenever you have a truly open marketplace -whether it be for products or software or whatever - people will take advantage of it with fraudulent and malicious activity.
FB needs prevention, policing, and persection.
I'm not surprised since their security has been attacked these past few days. FB should increase their security, warn oblivious people more and learn from their mistakes, making sure something like this will not happen again.
I think the simplest initial fix for these kind of applications would not be an approval system for apps (Apple has shown how many troubles that can bring), but an end to giving every application carte blanche access to all of a user's information. Require applications to ask specifically for permission to access info beyond the very basics, and make it very clear to the user how much access they're granting. People may still click on fake notifications, but if the "error check system" then asks for their hometown and favorite movies, maybe they'll think twice.
I also think Facebook's notifications system could be improved - I don't understand why I get notifications from applications that my friends use that I've never approved. Seems to me those actions should come in the form of invitations only - i.e. only approved applications can generate notifications for me. (And even then I hate it when an approved app sends me a random "use this app again" notification.)
Massive problems for the face of the smashed face facebook
There is a lot of news about facebook recently and unfortunately none are good news. Too bad such site with millions of members is in such situation.
They may also consider restricting access to personal information only for certified apps.
Another possible idea is to have the user explicitly select what info the app the access.
The sad reality is that whenever you have a truly open marketplace -whether it be for products or software or whatever - people will take advantage of it with fraudulent and malicious activity.
Facebook has other troubles too, if you ever check the ads that run on the system, there is plenty of bogus offers for getting rich quick, and phony home work programs that you are now hearing about on TV (CNN just did a big piece on it) There system does not catch this either.
However, if you're thinking of using the site for creating business groups, which as I learned the hard way not to, or you should think twice about putting much time into.
There system does catch members actions, and it's not perfect. You can easily do something that triggers their system to deactivate your profile, which in turn leaves any groups you started open to be taken over by the next person that visits the group.
Yes, a competitor could take over your group.
This is not well known among business people yet, but if facebook ever expects to be a serious player with business, their system needs to be fixed in many ways.
that is really too bad.