Facebook app changes could lead to security issues

Powered by SC Magazine

Email harvesting may attract attacks.

Facebook applications are becoming more promising targets for online attacks after the website launched new platform features that will enable developers to request email addresses from their users.

In an update last week, platform team engineer Arjun Banker said that Facebook Platform had improved communication between developers and users, and it had now delivered "on this commitment by providing a simple way for users to share their email addresses with you via a process designed to reduce friction and empower application".

Banker said: “While we're making the process of requesting email addresses more streamlined, some developers have been communicating with users through this channel for some time. For example, LivingSocial has been sending emails to users of Visual Bookshelf for the past two years, consistently driving ten per cent of traffic to the application.

“They have found emails are most successful when they provide users with dynamically-generated content (such as a listing or books a user has marked as ‘currently reading' or a feed of all friend activity). More engaging messages generated above-average click-through rates of 5-12 per cent.”

The update will allow application developers to ask users to share their primary Facebook email address so that they can communicate with them directly. Banker said: “We recommend you use email to send them interesting and relevant information, like receipts for purchases they make, messages to help reactivate them if they haven't visited your application or integration in a while, or newsletters promoting new features or contests.”

Banker said that Facebook expects applications and Facebook Connect integrations to adhere to the Facebook Platform policies and provide users with a trustworthy experience.

He also said that developers will also be held to the Federal Trade Commission's CAN-SPAM act, and he encouraged them to become familiar with the guidelines associated with emailing users.

However, security blogger and white hat hacker 'the harmony guy' voiced concerns, saying that over time, it will be likely that popular applications will routinely request email addresses from users, meaning that eventually some applications could have millions of addresses saved.

He said: “One SQL injection hole could potentially compromise all of those email addresses. Also, if the application had an cross-site scripting (XSS) vulnerability, one could easily launch a FAXX attack that requests email addresses from Facebook via FQL.

“This certainly all depends on several factors, one being whether many users embrace sharing their email addresses with applications. My recommendation to users would be against letting applications have your email address; Facebook does provide a proxy system if you really want messages. But I do hope this new feature will bring more attention to issues of security on the Facebook Platform.”

See original article on scmagazineuk.com

Copyright © SC Magazine, US edition

Top Stories
The True Cost of BYOD - 2014 survey
Twelve months on from our first study, is BYOD a better proposition?
Photos: Unboxing the Magnus supercomputer
Pawsey's biggest beast slots into place.
ANZ looks to life beyond the transaction
If digital disruptors think an online payments startup could rock the big four, they’ve missed the point of why people use banks, says Patrick Maes.
Sign up to receive iTnews email bulletins
Latest Comments
What is delaying adoption of public cloud in your organisation?

   |   View results
Lock-in concerns
Application integration concerns
Security and compliance concerns
Unreliable network infrastructure
Data sovereignty concerns
Lack of stakeholder support
Protecting on-premise IT jobs
Difficulty transitioning CapEx budget into OpEx