How Safe are Facebook Applications?
Recently, Roger Thompson, chief research officer at security firm AVG, discovered over half a dozen Facebook applications that had been compromised by malicious hackers. Although the apps' reach was small with relatively few users being affected, Thompson was concerned because it was the first time he had seen apps themselves hacked as opposed to something like Facebook profile pages, a common target for the still-spreading Koobface worm.
While this incident alone wouldn't generate much excitement given the low-profile nature of the applications affected, it's not the only example of unsafe applications on Facebook. Another researcher just spent an entire month scouring Facebook apps for security vulnerabilities and what he found is disturbing: six of the hacked apps were in the top ten, 9700 applications were affected, and the potential victims totaled 218 million users.
Hacked Apps Found Forcing Malicious Software on Users
In the case of the hacked Facebook apps found by AVG, the apps had been compromised by the use of "iframes," which are bits of code embedded in the applications themselves. The iframes were able to load content from malicious websites into the applications' pages on Facebook.com, directing app users to install software on their computers by purporting to be an update for an out-of-date Adobe Reader product.
At first, Thompson thought the apps had been hacked by the developers, but as it turned out, it was the developers who were the victims. After looking at the source code for the apps in question, Thompson found that the iframes had been injected into the apps' code due to infected software on the developers' PCs.
Facebook quickly reacted to the situation and took down the compromised apps while also contacted the developers to warn them of the issue.
Thousands of Apps Vulnerable to Attacks
While hacked Facebook apps may still be a bit of a rarity today on the popular social network, security vulnerabilities that could lead to malicious attacks are not. After spending a month on Facebook looking for application bugs, another security researcher made some disturbing findings.
Specifically, the researcher, who goes only by the handle "theharmonyguy" online, was looking for a specific vulnerability he referred to as a "FAXX Hack." FAXX stands for "Facebook Application + XSS + XSRF" or, in other words, a cross-site scripting vulnerability - a certain type of security hole that could allow a hacker to access profile information, including personal details, status updates, and photos of a victimized user and their friends.
The findings showed that many Facebook applications, even those that were widely used and considered trustworthy, lacked basic security precautions. There were some 9700 Facebook applications which were affected by vulnerabilities and nineteen of the applications in question had passed through Facebook's "Verified Application" program, a sort of "stamp of approval" designed to assure Facebook users of an app's general trustworthiness. Among the apps, six were ranked in the top ten by monthly active users including FarmVille, Causes, LivingSocial, Movies, Farm Town, and YoVille. The collective monthly active users counts for all the hacked apps totaled 218 million. However, that previous figure does include overlaps. Also, seven of the top ten application developers on Facebook were found to host at least one vulnerable app. (Note: the 9700 number may seem large but that's due to one vulnerability found in the "Make a Gift!" application. Make a Gift! lets users create their own custom applications for sending gifts, and the myriad of resulting applications are all hosted from the same server.)
While discovering the bugs, the researcher contacted each application developer to make him or her aware of the hole. For the most part, developers responded quickly and took the situation seriously. However, several developers took a while longer to respond. Nine took over a week to patch their application and one even took two weeks. And those delays were not due to the complexity of the required patches - these were, in terms of coding, simple fixes.
What's most concerning about these findings is how widespread the problem was. Unlike the apps AVG discovered, this wasn't a minor, isolated incident affecting a small handful of users. Although the apps in question here were just vulnerable to attacks as opposed to being comprised themselves, it shows how risky it is to use any application, Facebook Verified or not.
Is Any App Safe?
On top of all these security issues, in August many Facebook users were surprised to discover the vast amounts of personal information they were revealing by their use of Facebook quizzes. Even if you limit access to your profile through privacy settings, Facebook quiz applications can see everything on your profile page when you take a quiz...or even when your friend takes one. To make matters worse, Facebook does not screen developers for trustworthiness nor do they require developers to comply with a privacy policy.
With hacked apps, security vulnerabilities, lack of privacy policies, and apps that can read your private profile information, one has to wonder if using any Facebook application is appropriate and safe these days.
Update: Facebook's response: "Developers on Facebook Platform must comply with Platform Policy Guidelines, which require that applications provide a trustworthy user experience. Similarly, applications must post their own privacy policy if they collect any user information. We enforce these guidelines through spot checks and have disabled thousands of apps that we found in violation. We also encourage users to report suspicious apps and practice caution with all of their online activity."
Share
Facebook
Comments
Subscribe to comments for this post OR Subscribe to comments for all ReadWriteWeb posts
I personal have found exploits in facebooks apps that can cause identity theft and other personal resources. That is why a user must have the necessary security measures on their computer.
The frightening thing is that virtually any computer (regardless of patches, antivirus, antispyware, etc.) is vulnerable if the user can be convinced to click on the right (or this case wrong) thing. The attacks are now sophisticated enough that even an educated user might make that mistake.
Facebook.com should do better than that. Thats exactly why I do not sign in to do games or anything else. I strickly use facebook.com to comminicate with friends & family.
i found one strange thing happening after i joined "social interview" application on faceboook, the application is cool but had never believed that could harm my laptop, the pointer on the screen when placed on a link shows some language may be french or german in the info tab , i dont know how do i get rid of this.. i removed the application closed facebook, but still the dam thing never goes...
Yes, I've always been worried about all the quiz applications my "friends" have been taking. This doesn't help my piece of mind. I really hope Facebook implements something to control this.
This is very disturbing. I've been very cautious of apps and tried to ignore the ones that don't really make my Facebook experience any better. But I humbly admit that I upgraded the Adobe security patch and I've had computer problems ever since. Damage control now. Thanks for the update. I'd love to know which apps have been hacked.
I only use facebook for personal things and communication, I never do any of the games or apps, I also don't put enough personal info on my profile page to get me in trouble. Its always going to be difficult to stay one step ahead of hackers, we all have to protect ourselves and take responsibility, and not depend on big companies for protection.
I hardly use any of them. Facebook Barebones has been good enough for me.
facebook applications have been hacked i don't think there is any solution has been invented yet.
Terrifying stuff. I never add apps - I'm just not into throwing sheep. I am, however, developing a (useful) app myself! Since I started in earnest I've read about exploits out there and it's *amazing* how leaky the internet is. Note that it applies to many websites outside of Facebook. See this page:
http://groups.google.com/group/Google-Web-Toolkit/web/security-for-gwt-applications
Um, check me if I'm wrong, but if you look at the code of this page at the Facebook login part, you'll see much of the same plumbing that goes into the Facebook iFrame apps - the same type that are causing the issues. I suspect the data leakage issue could occur outside of Facebook. If true, the guys commenting on this page who wouldn't consider using an app, but would login via FB Connect, could be exposed.
Again, just a guess but I can't imagine what is different - Connect and iFrame apps work in the same basic way and you use much of the same code.
At first, Thompson thought the apps had been hacked by the developers, but as it turned out, it was the developers who were the victims. After looking at the source code for the apps in question, Thompson found that the iframes had been injected into the apps’ code due to infected software on the developers’ PCs.
I joined Facebook recently and was leary about giving Facebook access to my e-mail address and password so they can help me connect with my friends. Is it safe to give them this information?
I don't care it is secure or not. I never put my personal or any private info at facebook. I am using for friends and taking some funny moments from it. But i think it is secure....even it is powered by Google.
I am very eager to use this service in my site
hi i got a nasty message from some one that i never heard ofi sent her a message and told her i dont want nasty stuff on my face book. if you log on to her, she has filthy pictures. there should be a page so that you can put things on there to face book so they can take care of the problems.i am not happy that she is allowed to send to people and you can click to her and she can post that stuff on face book. this is a lot of famileys using face book. when you get that junkit is not good