Feeds

Facebook suspends personal data-sharing feature

Developers kicked back out of your undie drawer

Protecting against web application threats using SSL

Facebook has "temporarily disabled" a controversial feature that allowed developers to access the home address and mobile numbers of users.

The social network suspended the feature, introduced on Friday, after only three days. The decision follows feedback from users that the sharing of data process wasn't clearly explained and criticism from security firms that the feature was ripe for abuse.

Individual users had to grant permission before developers could hook into the API on Facebook's platform. However, because many users often click through permission dialogue boxes without paying attention, concerns were raised by net security firms such as Sophos that the feature might make life easier for the developers of rogue applications.

Instead of tricking users into handing over their mobile phone number before signing them up for worthless premium rate services, the personal info API feature might be abused to achieve the same end simply by fooling a potential mark into clicking through a dialogue box and installing a dodgy application - a move a greater percentage of victims are likely to fall for.

That's not what the feature was designed for, of course, but it's a plausible scenario of how it might be abused.

Greater sharing of personal information with legitimate apps also raises privacy concerns over the feature because (as initially established) users are likely to be handing over even more data to apps such as Foursquare without anything approaching informed consent.

Facebook said the benefits of the feature included the ability to "easily share your address and mobile phone with a shopping site to streamline the checkout process, or sign up for up-to-the-minute alerts on special deals directly to your mobile phone".

"As with the other information you share through our permissions process, you need to explicitly choose to share this data before any application or website can access it, and you can not share your friends’ address or mobile number with applications," a post by Facebook on its developers blog explains.

But negative feedback over the weekend has Facebook to reconsider its approach, suspending the feature for at least a "few weeks" to make it clearer that personal data was being handed over.

"We got some useful feedback that we could make people more clearly aware of when they are granting access to this data," Facebook added. "We agree, and we are making changes to help ensure you only share this information when you intend to do so.

"We’ll be working to launch these updates as soon as possible, and will be temporarily disabling this feature until those changes are ready. We look forward to re-enabling this improved feature in the next few weeks."

Facebook seems to be rediscovering the lessons Microsoft learned when its introduced User Access Control permissions to allow apps to run in Vista. Users can get irritated by constant dialogue boxes, responding by agreeing to everything they see without considering the possible consequences.

A Facebook spokesperson explained that an app can only request information it needs to operate. So if an app has no mobile phone update, it couldn't request a hook into Facebook's personal data API.

Similarly, only something such as a ticket purchase app can request details of home addresses. In addition, all apps need to have a privacy policy that explains to users what data is used and how it will be used or transferred.

We're not convinced that this, even together with user education and a rogue application reporting system, goes far enough towards addressing security concerns that the personal information API is ripe for abuse. Although it doesn't say as much, Facebook clearly shares at least some of these concerns or it wouldn't have decided to suspend the feature. ®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.