Facebook Apps: Access To Numbers, Addresses
Facebook recently announced that it is making user phone numbers and addresses available to developers, a move that a security expert said “could herald a new level of danger” for Facebook members.
Facebook isn’t just releasing this information into the wild; it’s adding it to the company’s “User Graph object,” or the permissions required to install an app.
“Because this is sensitive information, we have created the new user_address and user_mobile_phone permissions,” Facebook wrote in a blog post. “These permissions must be explicitly granted to your application by the user via our standard permissions dialogs.”
Facebook said the permissions only provide access to a user’s address and mobile phone number, not their friend’s addresses or mobile phone numbers.
Before installation, Facebook apps currently display a permissions-based menu that informs users what type of information the app is accessing. Going forward, users will be informed when the app accesses their phone numbers or addresses.
Sophos’s Graham Cluley, however, said that even though the information will only be accessible when a user gives permission, “there are just too many attacks happening on a daily basis which trick users into doing precisely this.”
“Facebook is already plagued by rogue applications that post spam links to users’ walls, and point users to survey scams that earn them commission – and even sometimes trick users into handing over their cellphone numbers to sign them up for a premium rate service,” Cluley wrote in a blog post.
Cluley suggested that scammers could set up a rogue app that collects mobile phone numbers and then uses that information to send SMS spam or sell the data to cold-calling companies.
Cluley wrote that only Facebook-approved app developers should be able to request this information or that app developers ask for the data rather than automatically grabbing it. In the meantime, he wrote, users should delete their phone numbers and addresses from their profile information.
Last year, there were reports that Facebook user IDs were being sent to third parties. Facebook initially proposed encryption as a possible workaround, but later opted to embed a user ID in a HTTP POST body, which means it will not be exposed in any HTTP referrer header at all; encrypted or not.