Is it my fault for giving permission to the app? Or is it to do with the software? Or with the whole concept of social networks generally?
Yes, yes and yes to those.
In which case, the question becomes "are we more interested in stopping the worms, or in keeping the network?" - I've edited the main post to that effect :)
It has to be said that as a facebook avoider (tried it, hated it) I'm probably not your target audience for this post :)
I work on the principle of minimum access only to maximally trusted organisations. I don't give details to an organisation which is going to treat data security in the way Facebook always has (i.e. a totally cavalier approach). I give my details (depending on sensitivity) to a minimum of organisations, and only give out particularly sensitive details to a select few.
This is why I'm so pissed off with Google for the whole Buzz fiasco and am actively looking at alternative systems to gmail (I'm willing to pay money not to be troubled by that crap to be honest). I may not find any, but I'm looking, and if I *do* come across a worthwhile system I'll be deleting my gmail account.
I wrote about Facebook apps in November:http://johnckirk.livejournal.com/288600.html
Basically, I think that their whole security model is flawed, because they have no concept of "least privilege". As a developer, there's no way for me to limit the amount of info I get, I just have to ignore the irrelevant stuff. I'd like to see something like the UAC prompt in Windows, where you'd get a different prompt before an app sends messages to your friends; some apps already do this voluntarily, e.g. challenging friends to quizzes or publishing Flixter reviews on your profile page.
Regarding the author, this app shouldn't be completely anonymous. I had to register as a developer last year, so Facebook should be able to track down the person who wrote it based on their ID; there's no need for digital signatures here.
As for spam, I know a couple of people who had their Facebook accounts hacked recently, i.e. someone was able to guess their password. One guy said that it sent messages to everyone whose name started with "A", so that does imply that there's a limit to the number of people a rogue app can contact in one go.
I agree with the least privilege thing - a smarter and finer grained system might help. I don't know how much it'd help, since many users aren't likely to be able to distinguish between the different levels of permission they give to different apps, but I think it'd at least help a bit.
Yes, the app author isn't anonymous. What I was complaining about above was that the app author wasn't immediately obvious to me at the moment I was clicking "Yes, give permissions to this app". On my android phone whenever I install an app, I get a screen which says "the app called X, written by Y wants permission to do Z". If Y is google, then I'm fairly confident it's not malware.
And yeah, I noticed that I wasn't able to send a single message to everyone that the worm notified. The limit on the number of people that can be notified at once seems to be higher than the number of people that can be messaged at once.
The apps may not be anonymous, but FB seem to do little about apps that are known to be hacked (e.g. Farmville was "outed" as as doing some rather dodgy things recently and yet FB didn't seem to respond in any obvious way - certainly Farmville is still available)
One fun option might be for facebook to prominently show reviews by people on your friendslist when an app's asking for permissions. That way anyone who was thinking of giving perms to "Like" would have my "It's a worm" review staring them in the face.
And of course, that's not even a "security measure" - it's a handy feature that you might want anyway.
I think part of the problem is facebook's obsession with UI "upgrades" (i.e. redesigning and making everybody relearn the whole blooming website). You installed "like" because you thought FB was being numptyish again, and it turned out it wasn't, but someone had used social engineering to make you think it was.
I refuse to use *any* application, because I can't tell whether they're part of FB or not. I use it as a minimal tool for certain things. It has its place but mostly it's a pain.
I had always thought of myself as someone who doesn't use facebook apps. That's one of the things that impresses me about this bit of social engineering - it was just convincing enough, for just long enough, to make me think that it was part of facebook, and not really an app.
I'll clarify - I don't use any app that isn't turned on by default. If it's part of facebook, but it looks app-like, I don't use it.
First, I am Jann. I joined this evening because I have nothing better to do than add another 'community' to my day! But after reading through posts, I think I am really going to enjoy it.
I want to add something about a different Facebook worm. Or it may be a variant of Koobface or whatever the latest one is. One of my daughter's friends got in his messages and written on his wall a hyperlink that only slightly resembled something someone would send to go see at YouTube. So, like the YouTube freak he is, he clicked on the hyperlink.
Don't ya know, the worm sent out that link to everyone on his friends' list. Not only that but he lost control of his account. But still maintained his password so he suspended his account. Pshaw! It didn't take an hour for that worm to invade his page again and again and again.......It doesn't help that several of his friends opened the link.
I do not participate in any of the apps on FB, they are mucked up in glitches anyhow. I use it to keep in touch with my family and friends. And I never, and I mean NEVER, open anything, I don't care if it came from one of my dogs. I got my first virus in 1996 and I was new and it took me forever to get it off on my own. So I am mega-cautious.
Long-winded enough? I agree with gaspodog. However, I have not had one problem on either Facebook or MySpace.
2010-06-17 07:46 am (UTC)
I've Been Hit With This Too
I can't believe that Facebook has allowed this to happen. I mean, they should have their users online safety at heart.
Not happy but will still keep on visiting FB
Thanks for the warning, I usually trust this kind of messages, that's what makes this warm dangerous. I am sure there are lots of Facebookers in the exact same situation right now. Can you tell if a cloud Security
software would help in this kind of situations? I'd appreciate any advise!