By David Worthington | Monday, December 21, 2009 at 9:01 pm
This past weekend, a trojan mimicked Facebook’s native functionality and sent notifications on the user’s behalf. While Facebook says that the application was harmless, its ability to break through a boundary of trust on the platform alarmed me.
The trojan came to my attention on Saturday after I received several Facebook notifications (in the form of a red number in the bottom right of the page) telling me that friends had commented on my photos. It was the same notification that I receive on a day-to-day basis.
When I clicked on the notification, it attempted to load an application called “Phutos,” which wanted access to my personal information and social network. I declined. A few minutes later, another notification appeared, but I was not taken to the application screen after I clicked on it. That seemed fishy, so I decided to review my applications.
“Phutos” was under my list of recently used applications–even though I never authorized its installation. At that point, I uninstalled the application and notified Facebook of my findings. Obviously, I also had some questions for it.
Facebook spokesperson Simon Axton stayed in steady contact with me over the weekend, and informed me today that the company had disabled the application because it violated Facebook’s Developer Principles and Policies. Facebook had determined that the application did not contain any malware, and has a dedicated enforcement team that investigates reports about suspicious applications, he told me.
When I asked what else Facebook does to protect its users, Axton said “We rely on reports from users for suspicious applications. Our team also conducts spot reviews of top applications and of many other applications, including looking at the data they need to run the application versus the data they gather. When we find a violation, we take action to enforce our policies.”
It’s great that Facebook says it’s taking its users’ safety seriously, but I am taken back by how easily a third-party application could mimic Facebook’s default Web applications. Users can now specify what information applications may access, but everyone users Facebook differently, so there is a bounty of information for malware to exploit.
There should be a wall between the Facebook development platform and the applications that make up the site itself.