Will you take Facebook’s candy?

by


By the Webroot Threat Team

It’s a creepy treat, with a serious underlying message. The latest viral website uses a horror movie format to show you just how much the average Facebook application can find out about you.

TakeThisLollipop, which has already received 1.7 million ‘Likes’ on Facebook, uses the social network’s application authentication scheme to find out about users.

Anyone clicking on the lollipop displayed on the site is asked to let the application access a panoply of information about them from Facebook, in addition to other privileges, such as posting as them. If they accept, they get to see the application’s payload: a video in which an unhinged man views their Facebook account, growing increasingly distressed as he looks at their pictures, wall posts, and friends’ status updates.

The whole thing is incredibly well done. It ends with the disturbed Facebook stalker driving towards your location (you knew that Facebook stored your hometown location, right?) and getting out of the car in a menacing fashion. Taped to his dashboard is a Polaroid, containing your profile picture. Chilling stuff.

What is even more chilling is the fact that this website is able to harvest so much information about you after you click the ‘Allow’ button in the dialogue box that it throws up. What else have you allowed access to, and how much do these applications know about you?

There is an even more important question: who is writing these Facebook apps, that harvest your most intimate personal and social data? There are seven million web sites and applications integrated with Facebook, many of which request privileged access to your account data before they will give you what the developers promise. Most people blindly allow these applications access, without thinking about where the information might be going.

It takes almost no effort to become a Facebook developer. The company introduced some basic developer verification procedures last year, such as providing a credit card number, or a mobile phone number. But of course, we know how many credit cards are stolen each year, don’t we? And how many mobile phones are stolen or cloned each week?

Clearly, there are many legitimate developers on Facebook. Webroot itself has a social media app that asks you to share some elements from your Facebook account, but we developed the app responsibly, and of course have very clear privacy guidelines on how we treat your information. But not every developer is that responsible.

Rogue developers can do what they want with the information may have it from Facebook accounts. Come to that, so can legitimate developers who may not have any bad intentions, but who are too lazy or disorganised to abide by privacy guidelines.

Now, thanks to a raft of announcements by Facebook this autumn, unwitting Facebook users face even less privacy. The social network would grant users the chance to approve a Facebook app just once to post information to their page, rather than having to keep authorising it every time. Facebook also announced its Timeline feature, which, assuming that they can negotiate the various lawsuits that ensued, will revolutionise the concept of a Facebook profile.

Timeline enables Facebook users to view all of their profile history on a single page. It also enables them to go back in time to the year that they were born, and manually fill out the events and add photographs. Facebook is, in effect, co-opting its users into filling out their own biographies and providing its application developers with an order of magnitude more information by mining their histories.

Once you grant third-party applications access to some privileges on Facebook, it can automatically see your friends’ information too. The effects of this more intimate access with its users make Facebook particularly insidious when it comes to security and privacy.

Facebook is working to make the concept of integrating with other web sites and apps easier. Mark Zuckerberg highlighted the concept of ‘frictionless sharing’ in his keynote at the F8 conference. But as apps like Take This Lollipop show, sharing Facebook data and privileges with other apps can open up a wealth of data about both you and your friends. It is time to think twice about which Facebook apps you approve, and what information you chose to share online.