# Facebook enables one-click identity theft option for rogue application developers



## koala (Mar 27, 2005)

From downloadsquad.switched.com


> In a rather odd and haphazard move, Facebook has now made it possible for apps to read your home address and mobile telephone number.
> 
> In the "Request for Permission" window -- the one you have to accept before using an app on the Facebook platform -- look out for "Access my contact information", with the subtitle "Current Address and Mobile Phone Number". You'd think that such important details would deserve a bolder warning, instead of the usual faded gray -- but obviously not.
> 
> ...


More details:
Rogue Facebook apps can now access your home address and mobile phone number | Naked Security
Platform Updates: New User Object fields, Edge.remove Event and More - Facebook Developers


----------



## sjb007 (Dec 10, 2007)

*Your data is Facebook's most valuable asset*

The news will certainly have brought a smile to the one million-strong Facebook developer community, who still go through none of the same strict vetting processes as Apple enforces upon developers trying to launch a product in its App Store.

This lack of vetting has given rise to ‘rogue apps’, which exist to post spam links to users' walls, point users to survey scams that earn them commission - and sometimes even trick users into handing over their mobile numbers to sign them up for a premium rate service, according to IT security firm Sophos. The addition of users’ phone numbers and home addresses (where available) into this mix of data available, once a user downloads an app, can only help rogue apps succeed with greater effect.

Although Facebook, by all accounts, is quite speedy about removing rogue apps from the site, once they have been reported.

A Facebook spokesman issued the following statement: "Developers can now request permission to access a person’s address and mobile phone number to make applications built on Facebook more useful and efficient. You need to explicitly choose to share your data before any app or website can access it and no private information is shared without your permission. As an additional step for this new feature, you're not able to share your friends' address or mobile information.” As expected the company has stressed that third party app developers will only gain access to this personal information, if the user agrees to give make it available when downloading the app. But the spokesman failed to explain why the change has even happened at all.

However, the problem is that many users don't bother reading the small print, when downloading a Facebook app, and just click the accept button without thinking of the consequences, according to Graham Cluley, a technology consultant at Sophos 

>> Your data is Facebook's most valuable asset - Telegraph


----------



## sjb007 (Dec 10, 2007)

*Facebook backtracks on data-sharing after users complain*

Facebook has removed functionality that allows personal data to be shared with third-party application developers following user complaints and security warnings.

Facebook said it was "temporarily disabling" the feature, which allowed third-party app developers to access Facebook members' addresses and mobile phone numbers stored on their profiles once an app was downloaded.

In a statement on the Facebook Developers' blog, the company said: "Over the weekend, we got some useful feedback that we could make people more clearly aware of when they are granting access to this data. We agree, and we are making changes to help ensure you only share this information when you intend to do so."

A Facebook spokesman told Computer Weekly the company has a clear policy in the ways developers can use information. The spokesman insisted users have absolute control over choosing whether to share personal information when requested to do so by apps on the social networking site.

But the announcement of new functionality raised security concerns.

Graham Cluley, senior technology consultant at security firm Sophos, said in a blog post: "I realise that Facebook users will only have their personal information accessed if they allow the app to do so, but there are just too many attacks happening on a daily basis which trick users into doing precisely this."

According to Graham Cluley, shady app developers will now find it easier than before to gather even more personal information from users.

The functionality will be re-enabled in the coming weeks when changes have been made in response to user feedback. 

>> Infosecurity (UK) - Facebook backtracks on data-sharing after users complain


----------



## koala (Mar 27, 2005)

Another source: Facebook temporarily removes developer access to your home address and mobile number


> Facebook, after a quiet announcement of the new home address and mobile phone access permissions, has made a quick about-turn. Citing some "useful feedback," Facebook has decided to to make changes "to help ensure you only share this information when you intend to do so."
> 
> The feature, _which will be re-enabled in a few weeks_, will allow Facebook app developers to request both your home address and mobile phone number. The changes being made will hopefully involve a bold, explicit warning in the Request for Permission boxes -- the boxes that you click through to use a new app -- but hopefully there are some better solutions on the table, too.
> 
> Ideally, Facebook would give us the option of securing your details permanently, from your Privacy Settings page. There should be a check box that simply says "never give my home address out" -- but that might be a little too hopeful.


----------

