New Facebook application permissions raise security concerns

The announcement to developers that users' off-site contact details will now be accessible programmatically was made quietly in a blog post by Facebook platform developer support employee Jeff Bowen.

"These permissions must be explicitly granted to your application by the user via our standard permissions dialogues," he wrote.

Bowen also noted that these permissions only provide access to a user's address and mobile phone number, not their friend's addresses or mobile phone numbers.

But the move could herald a new level of danger for Facebook users, according to Graham Cluley, senior technology consultant at security firm Sophos.

"I realise that Facebook users will only have their personal information accessed if they 'allow' the app to do so, but there are just too many attacks happening on a daily basis which trick users into doing precisely this," he said in a blog post.

According to Cluley, shady app developers will now find it easier than ever before to gather even more personal information from users.

"You can imagine, for instance, that bad guys could set up a rogue app that collects mobile phone numbers and then uses that information for the purposes of SMS spamming or sells on the data to cold-calling companies," he said.

Cluley believes it will not take long for scammers to take advantage of this new facility, to use for their own criminal ends.

He advises Facebook users to remove their home address and mobile phone number from their Facebook profile immediately, to review privacy settings, and keep up to date with security risks and how to avoid them.

This story was first published by Computer Weekly

What’s hot on Infosecurity Magazine?