withoutfire

A couple of days ago I highlighted a post about security issues Facebook applications from the Light the Blue Touchpaper blog (the security research team at Cambridge). It came the week after I had spent two days giving repeated sessions of a “how to stay safe on the Internet course” and showing people how they could change their privacy settings to prevent non-Friends from seeing their personal information.

Joseph Bonneau has posted some research he’s done into the information that a rogue Facebook application can read from your profile. The brief summary is:

1. Facebook applications can access all information that you can access.
2. This means that they can access your profile and any information in your friends’ profiles they have shared with you.
3. There is nothing to stop an application harvesting all this information and sending it to a third-party web site.

Put another way.

1. Your friend installs a facebook application.
2. Becuase you’ve shared parts of your profile with your friend, the application your friend just installed reads your information.
3. The application your friend installed sends your information off to a database somewhere else.

So without you doing anything, or even knowing about it, someone’s just harvested your profile. My advice now would be to just simply delete all your profile information from Facebook and if you do keep any there, share it with no-one.

Of course this application violates Facebook’s rules, and they’ve now removed the offending application that Bonneau described, but I’m sure there will be others. Especially as sometimes Facebook makes it hard to actually understand what information you are sharing with who.

The full article: http://www.lightbluetouchpaper.org/2009/06/09/how-privacy-fails-the-facebook-applications-debacle/

and a similar one from the SocialHacking blog: http://theharmonyguy.com/2009/05/28/about-that-verification/