Facebook Application Privacy

Since the last two weeks have been pretty heavy on security research and also since I’ve been getting more involved in Facebook API research; it was only natural that I combined the two and ended up doing some Facebook security research.

What I found wasn’t totally surprising to someone in the tech/development space, but may be news to the casual FB user. This is a public service announcement/reminder.

NOTE: While this post is specifically about Facebook applications, keep in mind that a majority of this applies to any web application which requires username and password authentication to connect to any social network.

First, all applications (and people who develop applications) regardless of weather or not you have ever used them or intend to use them have access to information about you that Facebook has deemed Publicly Available Information. User controlled privacy settings to prevent disclosure of this information are not an option. Anyone who finds and visits your profile page can see this information, as can any application integrated into Facebook’s API. I guess that’s the cost of doing business with Facebook.

Second, know that when you allow an application to connect to your Facebook account you are explicitly agreeing to allow them unrestricted access to even more information in your account.

Here is an excerpt from the Zynga Terms of Service page (Zynga makes FarmVille, Mafia Wars and other popular games):

You grant to Zynga the unrestricted, unconditional, unlimited, worldwide, irrevocable, perpetual fully-paid and royalty-free right and license to host, use, copy, distribute, reproduce, disclose, sell, resell, sublicense, display, perform, transmit, publish, broadcast, modify, make derivative works from, retitle, reformat, translate, archive, store, cache or otherwise exploit in any manner whatsoever, all or any portion of your User Content to which you have contributed, for any purpose whatsoever, in any and all formats; on or through any and all media, software, formula or medium now known or hereafter known; and with any technology or devices now known or hereafter developed and to advertise, market and promote same.”

For all you non-lawyers out there, I will paraphrase: “We have the legal right to take any of your User Content and do whatever the hell we want to with it…including sell it to other third-parties and you can’t do anything about it.”

Did you know that your User Content not only includes your game activity or actions performed within the application, but also includes your name, gender, profile picture, status updates, comments and more taken directly from your feed, wall and update streams?

Understand that any company that creates an application which you use has access to a treasure trove of information about you. This personal information about you, if in the wrong hands, can be used to create an identity fraud profile or to orchestrate a phishing attack against you (it’s thought that sons and daughters of women who expose their maiden name are at special risk since “mother’s maiden name” is commonly used by credit card companies as an identifier).

But I’m OK with this policy. Really, I am. If I decide to participate in a game or install an application then I understand that there’s a give an take. It’s the hidden cost of “free”. Where I get really uncomfortable is with the: “What your friends can share about you” settings. This is where the security alarms go off.

This area controls what information about you can be shared with application developers when your friends play. You don’t even have to be associated with that application. If any one of your FB friends associates with an application – extended information about you is made available to the app developers.

The following picture shows the “default” information your friends can share about you (click for larger image):

FB_share

Default Friend Share Screen (click to enlarge)

Are your friends as careful as you about what apps they associate with? Do you personally know all of your friends? Some of your “friends” may not have your best intentions in mind.

I highly suggest you uncheck all of these and update your settings as soon as you can. To do this, log on to your account and go to Account, Privacy Settings, Applications and Websites, and What Your friends Can Share About You. Uncheck them all and hit Save.

Now I’m not trying to scare anyone. I’m not saying Facebook is bad. Not all application developers are evil. I’m just trying to raise awareness. Be smart. Know the facts. Protect yourself. Free is not always free. Know what you are doing before you do it and take the time to read terms and services before you agree to them.

If you’d like to read more about Facebook security and best practices, check out the Sophos: Facebook Best Practices booklet. Keep in mind these people do security for a living so they’re pretty tight with their suggestions.

Tags: , , ,

No comments yet.

Leave a Reply