Press Coverage & Related Links
Dark Reading article
WCAV TV segment
UVA Today article
CNET blog article
My Fbook XSS hack
Joy of Tech comic
The Facebook Platform lets Facebook users add gadgets to their profiles and play with third-party applications without leaving the Facebook site. It's been a wild success: the most popular Facebook applications have around 24 million users, and competing social networking sites have moved to create their own imitation platforms. However, although these open platforms enable cool features, they also pose serious privacy risks.
Users view their profiles on social networking sites as a form of self-expression, but these profiles also have commercial value to marketing companies, competing networking sites, and identity thieves. Data mining through the development platform can potentially affect more people than screen scraping, because it exposes information that might otherwise be hidden (i.e., users with "private" profiles may still install applications).
If a user wants to install an application, she must grant that application full privileges. Privacy settings can be applied to friends' applications, but one standard is set for all applications. There's no way to say, "X gets my hometown but Y only gets my favorite music." The principle of least authority, a security design principle, states that an actor should only be given the privileges needed to perform a job. In other words, an application that doesn't need private information shouldn't be given any.
We (with the help of Andrew Spisak) performed a systematic review of the top 150 Facebook applications in October 2007 and examined their information needs.
We found that 8.7% didn't need any information; 82% used public data (name, network, list of friends); and only 9.3% needed private information (e.g., birthday). Since all of the applications are given full access to private data, this means that 90.7% of applications are being given more privileges than they need.