Facebook applications are becoming more promising targets for online attacks after the website launched new platform features that will enable developers to request email addresses from their users.
In an update last week, platform team engineer Arjun Banker said that Facebook Platform had improved communication between developers and users, and it had now delivered "on this commitment by providing a simple way for users to share their email addresses with you via a process designed to reduce friction and empower application".
Banker said: “While we're making the process of requesting email addresses more streamlined, some developers have been communicating with users through this channel for some time. For example, LivingSocial has been sending emails to users of Visual Bookshelf for the past two years, consistently driving ten per cent of traffic to the application.
“They have found emails are most successful when they provide users with dynamically-generated content (such as a listing or books a user has marked as ‘currently reading' or a feed of all friend activity). More engaging messages generated above-average click-through rates of 5-12 per cent.”
The update will allow application developers to ask users to share their primary Facebook email address so that they can communicate with them directly. Banker said: “We recommend you use email to send them interesting and relevant information, like receipts for purchases they make, messages to help reactivate them if they haven't visited your application or integration in a while, or newsletters promoting new features or contests.”
Banker said that Facebook expects applications and Facebook Connect integrations to adhere to the Facebook Platform policies and provide users with a trustworthy experience.
He also said that developers will also be held to the Federal Trade Commission's CAN-SPAM act, and he encouraged them to become familiar with the guidelines associated with emailing users.
However, security blogger and white hat hacker 'the harmony guy' voiced concerns, saying that over time, it will be likely that popular applications will routinely request email addresses from users, meaning that eventually some applications could have millions of addresses saved.
He said: “One SQL injection hole could potentially compromise all of those email addresses. Also, if the application had an cross-site scripting (XSS) vulnerability, one could easily launch a FAXX attack that requests email addresses from Facebook via FQL.
“This certainly all depends on several factors, one being whether many users embrace sharing their email addresses with applications. My recommendation to users would be against letting applications have your email address; Facebook does provide a proxy system if you really want messages. But I do hope this new feature will bring more attention to issues of security on the Facebook Platform.”
See original article on scmagazineuk.com
Facebook app changes could lead to security issues
By
Dan Raywood
on Jan 25, 2010 11:48AM
Email harvesting may attract attacks.
Got a news tip for our journalists? Share it with us anonymously here.
Tags:
addresses and application as be changes collected could email facebook its lead nightmare platform security stored to users will
Partner Content
Promoted Content
From 30 people to 6 million: How workplace tech is driving Movember's global community
Promoted Content
4 essentials for protecting data in the new normal
Promoted Content
"Move away from linear thinking", futurologist advises business leaders
Promoted Content
Delivering customer-centric government
Sponsored Whitepapers
The ultimate guide to customer IAM
Communicating cyber security in a language the Board understands
10 questions to ask before you select a Network Performance Management tool
Innovate faster. Why accelerating change is a CIO's biggest challenge.
Unlock faster time-to-revenue using Adobe digital document processes
