Facebook app changes could lead to security issues

Powered by SC Magazine
 

Email harvesting may attract attacks.

Facebook applications are becoming more promising targets for online attacks after the website launched new platform features that will enable developers to request email addresses from their users.

In an update last week, platform team engineer Arjun Banker said that Facebook Platform had improved communication between developers and users, and it had now delivered "on this commitment by providing a simple way for users to share their email addresses with you via a process designed to reduce friction and empower application".

Banker said: “While we're making the process of requesting email addresses more streamlined, some developers have been communicating with users through this channel for some time. For example, LivingSocial has been sending emails to users of Visual Bookshelf for the past two years, consistently driving ten per cent of traffic to the application.

“They have found emails are most successful when they provide users with dynamically-generated content (such as a listing or books a user has marked as ‘currently reading' or a feed of all friend activity). More engaging messages generated above-average click-through rates of 5-12 per cent.”

The update will allow application developers to ask users to share their primary Facebook email address so that they can communicate with them directly. Banker said: “We recommend you use email to send them interesting and relevant information, like receipts for purchases they make, messages to help reactivate them if they haven't visited your application or integration in a while, or newsletters promoting new features or contests.”

Banker said that Facebook expects applications and Facebook Connect integrations to adhere to the Facebook Platform policies and provide users with a trustworthy experience.

He also said that developers will also be held to the Federal Trade Commission's CAN-SPAM act, and he encouraged them to become familiar with the guidelines associated with emailing users.

However, security blogger and white hat hacker 'the harmony guy' voiced concerns, saying that over time, it will be likely that popular applications will routinely request email addresses from users, meaning that eventually some applications could have millions of addresses saved.

He said: “One SQL injection hole could potentially compromise all of those email addresses. Also, if the application had an cross-site scripting (XSS) vulnerability, one could easily launch a FAXX attack that requests email addresses from Facebook via FQL.

“This certainly all depends on several factors, one being whether many users embrace sharing their email addresses with applications. My recommendation to users would be against letting applications have your email address; Facebook does provide a proxy system if you really want messages. But I do hope this new feature will bring more attention to issues of security on the Facebook Platform.”

See original article on scmagazineuk.com

Copyright © SC Magazine, US edition


 
 
 
Top Stories
Earning the right to innovate
Breaking down the barriers to innovation is a long, but rewarding process, says Bank of Queensland Group CIO, Julie Bale.
 
A call for timely reporting
[Blog post] Businesses need incentives to keep customer data secure.
 
Doubts cast on Queensland's ICT Dashboard
Opposition, former Govt CIO say it can't be trusted.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
What is delaying adoption of public cloud in your organisation?







   |   View results
Lock-in concerns
  26%
 
Application integration concerns
  3%
 
Security and compliance concerns
  29%
 
Unreliable network infrastructure
  9%
 
Data sovereignty concerns
  22%
 
Lack of stakeholder support
  3%
 
Protecting on-premise IT jobs
  5%
 
Difficulty transitioning CapEx budget into OpEx
  3%
TOTAL VOTES: 859

Vote