Facebook app changes could lead to security issues

Powered by SC Magazine
 

Email harvesting may attract attacks.

Facebook applications are becoming more promising targets for online attacks after the website launched new platform features that will enable developers to request email addresses from their users.

In an update last week, platform team engineer Arjun Banker said that Facebook Platform had improved communication between developers and users, and it had now delivered "on this commitment by providing a simple way for users to share their email addresses with you via a process designed to reduce friction and empower application".

Banker said: “While we're making the process of requesting email addresses more streamlined, some developers have been communicating with users through this channel for some time. For example, LivingSocial has been sending emails to users of Visual Bookshelf for the past two years, consistently driving ten per cent of traffic to the application.

“They have found emails are most successful when they provide users with dynamically-generated content (such as a listing or books a user has marked as ‘currently reading' or a feed of all friend activity). More engaging messages generated above-average click-through rates of 5-12 per cent.”

The update will allow application developers to ask users to share their primary Facebook email address so that they can communicate with them directly. Banker said: “We recommend you use email to send them interesting and relevant information, like receipts for purchases they make, messages to help reactivate them if they haven't visited your application or integration in a while, or newsletters promoting new features or contests.”

Banker said that Facebook expects applications and Facebook Connect integrations to adhere to the Facebook Platform policies and provide users with a trustworthy experience.

He also said that developers will also be held to the Federal Trade Commission's CAN-SPAM act, and he encouraged them to become familiar with the guidelines associated with emailing users.

However, security blogger and white hat hacker 'the harmony guy' voiced concerns, saying that over time, it will be likely that popular applications will routinely request email addresses from users, meaning that eventually some applications could have millions of addresses saved.

He said: “One SQL injection hole could potentially compromise all of those email addresses. Also, if the application had an cross-site scripting (XSS) vulnerability, one could easily launch a FAXX attack that requests email addresses from Facebook via FQL.

“This certainly all depends on several factors, one being whether many users embrace sharing their email addresses with applications. My recommendation to users would be against letting applications have your email address; Facebook does provide a proxy system if you really want messages. But I do hope this new feature will bring more attention to issues of security on the Facebook Platform.”

See original article on scmagazineuk.com

Copyright © SC Magazine, US edition


 
 
 
Top Stories
Matching databases to Linux distros
Reviewed: OS-repository DBMSs, MariaDB vs MySQL.
 
Coalition's NBN cost-benefit study finds in favour of MTM
FTTP costs too much, would take too long.
 
Who'd have picked a BlackBerry for the Internet of Things?
[Blog] BlackBerry has a more secure future in the physical world.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Which is the most prevalent cyber attack method your organisation faces?




   |   View results
Phishing and social engineering
  70%
 
Advanced persistent threats
  3%
 
Unpatched or unsupported software vulnerabilities
  12%
 
Denial of service attacks
  6%
 
Insider threats
  10%
TOTAL VOTES: 702

Vote