Will you take Facebook’s candy?

By the Webroot Threat Team

It’s a creepy treat, with a serious underlying message. The latest viral website uses a horror movie format to show you just how much the average Facebook application can find out about you.

TakeThisLollipop, which has already received 1.7 million ‘Likes’ on Facebook, uses the social network’s application authentication scheme to find out about users.

Anyone clicking on the lollipop displayed on the site is asked to let the application access a panoply of information about them from Facebook, in addition to other privileges, such as posting as them. If they accept, they get to see the application’s payload: a video in which an unhinged man views their Facebook account, growing increasingly distressed as he looks at their pictures, wall posts, and friends’ status updates.

The whole thing is incredibly well done. It ends with the disturbed Facebook stalker driving towards your location (you knew that Facebook stored your hometown location, right?) and getting out of the car in a menacing fashion. Taped to his dashboard is a Polaroid, containing your profile picture. Chilling stuff.

What is even more chilling is the fact that this website is able to harvest so much information about you after you click the ‘Allow’ button in the dialogue box that it throws up. What else have you allowed access to, and how much do these applications know about you?

There is an even more important question: who is writing these Facebook apps, that harvest your most intimate personal and social data? There are seven million web sites and applications integrated with Facebook, many of which request privileged access to your account data before they will give you what the developers promise. Most people blindly allow these applications access, without thinking about where the information might be going.

It takes almost no effort to become a Facebook developer. The company introduced some basic developer verification procedures last year, such as providing a credit card number, or a mobile phone number. But of course, we know how many credit cards are stolen each year, don’t we? And how many mobile phones are stolen or cloned each week?

Clearly, there are many legitimate developers on Facebook. Webroot itself has a social media app that asks you to share some elements from your Facebook account, but we developed the app responsibly, and of course have very clear privacy guidelines on how we treat your information. But not every developer is that responsible.

Rogue developers can do what they want with the information may have it from Facebook accounts. Come to that, so can legitimate developers who may not have any bad intentions, but who are too lazy or disorganised to abide by privacy guidelines.

Now, thanks to a raft of announcements by Facebook this autumn, unwitting Facebook users face even less privacy. The social network would grant users the chance to approve a Facebook app just once to post information to their page, rather than having to keep authorising it every time. Facebook also announced its Timeline feature, which, assuming that they can negotiate the various lawsuits that ensued, will revolutionise the concept of a Facebook profile.

Timeline enables Facebook users to view all of their profile history on a single page. It also enables them to go back in time to the year that they were born, and manually fill out the events and add photographs. Facebook is, in effect, co-opting its users into filling out their own biographies and providing its application developers with an order of magnitude more information by mining their histories.

Once you grant third-party applications access to some privileges on Facebook, it can automatically see your friends’ information too. The effects of this more intimate access with its users make Facebook particularly insidious when it comes to security and privacy.

Facebook is working to make the concept of integrating with other web sites and apps easier. Mark Zuckerberg highlighted the concept of ‘frictionless sharing’ in his keynote at the F8 conference. But as apps like Take This Lollipop show, sharing Facebook data and privileges with other apps can open up a wealth of data about both you and your friends. It is time to think twice about which Facebook apps you approve, and what information you chose to share online.

6 thoughts on “Will you take Facebook’s candy?

  1. It’s not working for me, but when I click on the link it generated on my wall because I liked it, it said that Websense had identified it as unsafe. That is ridiculous.

  2. A lot of good information provided in the article. I have said, many times, that if it wasn’t necessary for my band to be on FB, I wouldn’t bother with it at all. My personal info page consists of my name and date of birth. (That’s all the military said I had to provide, along with rank and serial number, if captured during a war). High School, College, Interests? Those few friends I have on FB already know or don’t care to know. Everyone else can suck eggs. As far as apps go, I don’t have any. Most of them are childish anyway.

  3. FB is no use to me. Tried signing with them. Wasn’t worth the effort. They asked me for my age. I ask why, because the only way they could verify, is if they hacked government websites, They ask for my phone number. Again, I ask why; they don’t or won’t provide one to us. (trust me, I’ve looked) Then,even after playing along, they asked me to produce a government ID. That’s where I drew the line.

  4. Sorry had a little power failure. Anyway is FB headquartered in Nigeria now? Put my government ID on the net; are they serious? Again people, wake up. What could they compare it with, unless they are illegally hacking government databases. Their Help sections and forums are equally useless, because you have to login to use anything. Somewhere though one of my e-mails got through. Too bad they didn’t bother to read it, and in reply ; all I recieved was a form letter again asking for government ID. A TOTAL waste of time.

Join the Conversation

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s