How common are vulnerabilities? Tyson conducted some research last September where he compiled 'a month of Facebook bugs,' as he called it. He found six of the top ten applications on Facebook were compromised in that time period. And recently he did similar research and found half of the top ten are still compromised.
"Those numbers give you an indication that it is a serious problem that hasn't been taken advantage of yet," said Tyson. "But now that we are seeing Facebook spread more across the web, I think attackers are really going to pay attention. We are starting to see a rise in the use of social networking to spread malware."
But Facebook's Simon Axten, who is focused on security for the site, recently contacted CSO to clarify the safety of applications.
"Developers, big and small, must comply with our Platform Policy Guidelines, which require that applications provide a trustworthy experience," he said by email. "We enforce these guidelines regularly and have disabled applications that we've found to be in violation."
Axten also noted users have a number of options for controlling the information they share with applications. Including:
-If you're concerned about an app or the data it may access, don't authorize it.
- Apps are subject to application privacy settings. That is, you can configure what your friends' apps can and can't access (settings here)
-You can block applications just as you block individuals on Facebook.
But the issue goes beyond applications. Facebook is now partnering with other sites as part of its new Instant Personalization model, so the implications are also there for security on these other sites, according to Tyson. Earlier this week, a security researcher found an exploit that took advantage of Cross Site Scripting to inject malicious code into Yelp, one of the partner sites in this pilot program. The exploit discovered, before it was patched, would allow a malicious site to immediately harvest a Facebook user's name, email, and data shared with 'Everyone' on Facebook, with no action required on the user's part.
Facebook's Axten told CSOonline via email:
"Our new Instant Personalization feature is a limited pilot program with three partners (Microsoft, Pandora, and Yelp), which we carefully selected to optimize the specific experiences of collaborating on documents, discovering music, and finding local businesses."