There are many misconceptions about the security of Facebook, Facebook applications, and the frequent scams that seem to plague the world’s largest social network. To help set the record straight, I would like to shed a bit of reality on the most common myths about Facebook security and privacy today. These are real examples of statements that I have encountered regarding Facebook and their privacy controls and security measures. Some have surprising truth to them and others are completely false and misleading. I’ve broken these myths into three areas: Facebook applications, privacy, and security myths.
To Facebook’s credit, Facebook has made considerable strides over the last few years by implementing new security and privacy controls as well as getting the Facebook security team more visible. Some of the newer implementations, such as full site SSL and social authentication, will continue to improve the security of Facebook. Unfortunately, many of these myths will still persist. This is because users will believe what they want to believe despite new controls and efforts being put in place by Facebook.
Facebook Application Myths
Myth: All Facebook applications are created and managed by Facebook.
Myth: Facebook reviews all applications for security vulnerabilities, scams, or frauds.
Reality: In general it would be very difficult with Facebook’s current application developer model to review the code for all Facebook applications. According to Facebook’s official statistics, people on Facebook install 20 million applications every day and according to an older statistics page I found dated November 2010 there were approximately 550,000 active applications. This is an extremely large amount of applications to check for security issues. This problem also becomes more challenging when developers release new code or updates to existing applications. How is Facebook currently addressing this issue? Facebook made a statement in this recent InformationWeek article talking about how they review applications. Facebook claimed to have a dedicated security team that “does robust review of all third-party applications, using a risk-based approach.”
“That means that we first look at velocity, number of users, types of data shared, and prioritize,” the statement read. “This ensures that the team is focused on addressing the biggest risks, rather than just doing a cursory review at the time that an app is first launched.”
In other words, they look at applications that fall into specific categories because it would be near impossible to check every single application. There is also no mention if Facebook conducts a code review of applications selected for review. The bad news, of course, is that once Facebook shuts down one rogue, malicious application another one is easily right behind it to take its place.
Myth: Facebook applications don’t have typical web security flaws.
Reality: Facebook applications can be developed insecurely just like any other web based application. In fact, in 2009 security researcher theharmonyguy conducted the “Month of Facebook Bugs” exposing security flaws in many of the popular Facebook applications at the time. These flaws included XSS (Cross-Site Scripting) which can be used to attack the users of applications, SQLi (SQL Injection) which can be used to extract personal or private information from the database of applications, and ClickJacking or LikeJacking which can be used to initiate actions without the user’s knowledge.
Myth: Facebook is responsible for any information you provide to Facebook or third-party applications.
Reality: This is a tricky one. At the end of the day, you’re responsible for what you post and any information you provide Facebook or third-party applications. There is no guarantee that Facebook or third-party application developers will not misuse or sell your information. This has happened in the recent past.
Myth: Facebook allows developers to do whatever they want with their applications and can collect your personal information.
Reality: Facebook has certain policies that you can read for yourself about what a developer can or can’t do. It’s important to note that Facebook used to be more restrictive with these rules in the past. For example, application developers could only keep personal data collected for 24 hours. Facebook has now removed this restriction and has relaxed many other policies so it’s easier for developers to integrate with Facebook. Having said that, it’s hard for Facebook to truly “enforce” these policies unless a malicious application is reviewed by them or it’s reported to the Facebook security team. It’s a battle that is going to be very hard to win based on the current way Facebook allows applications to be developed.
Facebook Privacy Myths
Myth: Facebook reviews all third-party companies that collect your personal information.
Myth: Facebook takes user privacy seriously.
Myth: Facebook has very little privacy controls.
Reality: This is false. In fact, Facebook has made great strides over the years in providing its user base with easier to use privacy controls. I’ve seen this myself while putting together my Facebook Privacy & Security Guide over the years. The problem has become that many users don’t know where these settings are or how to use them. Facebook also hasn’t done a great job of communicating changes to privacy settings in the past. Users of Facebook and computer users in general have become immune to pop-ups and hard to read sign-in notifications. It’s simply become easier for users to just “click through” so they can get to what they want in Facebook.
Myth: Facebook makes it easy for users to delete their accounts.
Reality: The truth is that the process of deleting your Facebook account has gotten only slightly better over the years but still remains a confusing one. For example, here is one guide that walks you through the procedure. Facebook still has account “deactivation” as the first step in the account deletion process, which many users still find confusing. Many users are also confused between “deactivation” and “deletion.” Others think that by successfully deleting their account all the information including pictures they posted are removed from Facebook forever. While Facebook may say they remove all of your information, you still can’t stop others from copying it or saving those party pictures of you to their hard drive. The rule to remember is that once you post something on Facebook, you should always think of it as public information.
Facebook Security Myths
Myth: Facebook scams are mostly variations of the same one over the years.
Reality: Many of the Facebook scams found are simple variations of text messaging, promotion give-a-ways (iPads, iPods [insert latest hot gadget here]), who visited your profile (ProfileSpy), and improvements to existing Facebook services like chat and instant messaging. In fact, one scam I blogged about over a year ago is still being used today. The basic rule to remember is that if something is popular in our culture, such as tech products that everyone wants, it’s most likely going to be used for scams and frauds. Remember the old rule: if it sounds too good to be true, it probably is.
Myth: I can’t get a virus or malware by using Facebook
Reality: All it takes is clicking on a malicious link from one of your friends, installing a rogue application, or falling for one of the many scams that offer “free” stuff. Facebook is doing a better job of cleaning up malicious links and other related activity. However, the Koobface worm and associated variants are still a problem and adapt well to attempts by Facebook to rid them from the platform.
Myth: I can trust my friends on Facebook because they would never send me anything malicious.
Reality: It’s always nice to trust your friends but this gets complicated on Facebook. Social Network worms such as Koobface as well as hijacked or stolen accounts are frequently used to social engineer Facebook users to click on a link or send money to foreign countries. All of these scams exploit the trust relationships that you have with people you know. It’s a simple and highly effective technique that’s still being used today.
Myth: Facebook does not have a security team or a way to report security issues/SPAM/scams.
Reality: Contrary to popular belief, Facebook does have a security team and ways to report security and privacy issues. In the past, many of these types of requests would have met the infamous “Facebook Blackhole” in which emails or support requests were never answered. Recently, there have been many improvements to help communicate the presence of this team. For example, you can “like” the Facebook security page, report a compromised account, learn how to report security vulnerabilities, as well as get good tips on what to do when you see security issues.