Tens of Thousands of Malicious Apps Use Facebook's APIs

Slashdot reader lod123 quotes ThreatPost: At least 25,936 malicious apps are currently using one of Facebook's APIs, such as a login API or messaging API. These allow apps to access a range of information from Facebook profiles, like name, location and email address. Trustlook discovered the malicious apps using a formula, which created a risk score for apps based on more than 80 pieces of information for each app, including permissions, libraries, risky API calls and network activity... A malicious app (with a risk score above 7) "might be doing things such as capturing pictures and audio when the app is closed, or making an unusually large amount of network calls," a spokesperson told Threatpost...

To be fair, Facebook is not the only company with its APIs embedded in malicious applications... "The problem, for the most part, is that this is data that is provided when their login is used elsewhere. The API is simply passing through intelligence it has gathered from their profile," said Chris Roberts, chief security architect at Acalvio, via email. "LinkedIn, Google and Twitter, among others, have similarly flawed APIs that can be used to harvest information both about you (the target) and possibly associated individuals...depending upon queries and other developer privileges that are being exploited."
A Trustlook spokesperson summarized their position after the report. "Just as Coke does not want its ads running on certain websites, Facebook should not want malicious app developers using its APIs."

The morals of facebook APIs

should be all-American, the world over. Just like their content policies.

No titties in APIs, dammit! And no copyright infringment if the copyright belongs to a MAFIAA-member! But beheadings and other violence is just fine.

Fuckerberg should DIAF

And Fuckerberg just shrugs. He got his shekels already so why would he care?

Re:Fuckerberg should DIAF

"Just as Coke does not want its ads running on certain websites, Facebook should not want malicious app developers using its APIs."

Coca-Cola makes money selling an actual product.

Facebook does not.

That's the reason why (((Mark Zuckerberg))) doesn't give two shits about malicious apps.

Re:Fuckerberg should DIAF

Their users ARE their product, dumbass. And FB makes plenty of money off them, too.

Re:Fuckerberg should DIAF

So tell us, why should he? Everything was done with full consent of all involved. Every 'agreement' you click through essentially says that everything you do can and will be used against you, and you clicked 'Okay'. So there!

Re:Fuckerberg should DIAF

Hey, unless you quit buying, you're in it just as much as anybody. Yeah, it's about the shekels. That's what people go into business for. If you got a problem with that, find a quarter and go call somebody who gives a damn.

Re:Fuckerberg should DIAF

You're so totally weird! Everything is a simple expression of the life force. What is your problem, boy??!

All Facebooks Apps are Malicious.

[gurps_npc]

They have access to Facebook, that makes them malicious.

Until we create and enforce a law preventing anyone from maintaining a record on people who have not given them express permission to maintain that record, Facebook and their ilk are malicious.

My data should have my permission before it is kept, not after.

Re:All Facebooks Apps are Malicious.

[alvinrod]

Most people would happily tick that box without even bothering to read the fine print. It doesn't matter what law you pass if you can't get people to understand the importance of keeping their data private and secure. Hopefully things will improve in future generations, but I suspect that history will look on us as digital barbarians of sorts.

Re:All Facebooks Apps are Malicious.

[JMJimmy]

We need a central database of information types/uses (but no actual personal information) which anyone who collects personal information can query to get a user's preferences. Set once and forget.

Apps/websites/etc must then adhere to those preferences, even if it interferes with the operation of their service. These defaults could then be overriden on an individual basis as an opt-in approach.

Re:All Facebooks Apps are Malicious.

MODDOWN! ; creimer spam post again!

creimer wants you to click on his youtube channel, then click on his stupid amazon affiliate link spam on Youtube. There is nothing of value on creimer youtube channel. Only creimer click-bot goes there.

creimer, I reported you to youtube and amazon and I keep reporting every spam post you make so all these spam posts will do is bring your view count in negative territory for a given day since youtube barred your stupid click-bot and your spam posts.

Re:All Facebooks Apps are Malicious.

That's just it. It should not be a box to tick. Also, things like Facebook should not generally be public to begin with, but that's another issue. If it was law that a company had to verify your identity and sign a document stating you give them permission to user your data then that would solve most problems.

Login should just be checking credentials.

The purpose of a login API should just be to verify the credentials of the person attempting to login to the service, period. The fact that "when people use Facebook Login, they grant the app’s developer a range of information from their Facebook profile" is simply incorrigible.

Re:Login should just be checking credentials.

It’s because Fuckerberg’s customer’s demanded as much info on the product as possible. So in order to maximize his take of shekels he whores out his products as much as possible.

They would rape their granny

If there was an API for it,

LinkedIN

Finally! Someone is bringing up LinkedIN.

Just think what information about you that could be more damaging. Your vacation and cat photos on facebook or your work history, news, and employers on LinkedIN?

And we don't know what they do with our information at all.

Your best solutions, please?

[shanen]

Yes, it's important to look at the problems, but if there is no solution, is there really a problem? There seems to be a lot of confusion these days about reality, ugly reality, and bothersome realities that certain people refuse to believe in. (Even worse when gaslighting Level-3 liars exploit the will to believe...)

So is there any solution to this malicious app problem? I think the best solution approach would involve exposing the financial models of the apps, with secure commentary provided by financial experts. In minimalist other words, if we knew where the money was coming from, then we would have a much better chance of avoiding the scams. By the way, the same basic approach would help with malicious smartphone apps.

On today's Slashdot the only response will probably be a pile of snark, but let me suggest a few solutions there, too. You snarksters could stop and think a minute. You could ask for clarifications of parts that you don't understand. Even better if you could offer a better suggestion or three.

On the one hand, I feel like dragging in a couple more solutions, such as EPR or the news-reputation as a multidimensional metric, but on the other hand today's Slashdot doesn't feel so motivating.

Re:Your best solutions, please?

You're overthinking this press release by a "computer security" company that gets its relevance from releasing alarmist press releases. This remains the case even if there is a lot of abuse on top of the abuse that is facebook itself.

The problem fundamentally is that facebook is leaking abusable information to any and all parties. How the fuck does it even make sense to try and police how other entities are going to use the data you've released to them? Hint: It doesn't, so don't even try. So to "solve" the problem, you have to redefine it until your solutions start to make sense and become possible. Which means shutting down the APIs for everybody, not using facebook in the first place, that sort of thing. Anything short of that is really just deluding yourself.

Re:Your best solutions, please?

[shanen]

There's some secret reply, eh? Sorry, AC, I'm NOT interested in wasting time investigating. Your claim of AC status is equivalent to a claim of ZERO EPR and my hypothetical visibility setting for EPR would be higher than the positive default.

It could be worse. The "hidden comment" could be an accredited comment that has already been modded into invisibility. In that case the local reputation would be overwhelmingly negative (except for the even more remote possibility of troll attack).

Rather sad if the secret reply actually had a constructive solution, eh? I would have liked to have seen it in that unlikely case. Much more likely it was just a bit of snark.

Re:Your best solutions, please?

The solution is a VPN with a fake account. Have a device/virtual machine for Facebook and crappy apps. Then have a device you only use for friends. Then have a 3rd device only used for online shopping. Granted, these don't have to be real devices besides phones. You can use virtual machines too. Preferably also use a VPN that has dozens of locatiosn around the world you can randomly connect to. Set your computer/phone/gateway to connect to VPN first before anything else.

Re: Your best solutions, please?

Big data and shadow profiles might completely negate the effectiveness of such a scheme.

The virtual machines would be detectable, and it is likely the underlying hardware can be detected. This would create a signature to tie multiple VMs together regardless of what VPN they are going through. And if somebody really wanted to know, there have been meltdown and spectre vulnerabilities, and who knows what vulnerabilities might still kept secret...

Cell phones are typically sold in regions. Those cell phones have location data and can be traced to very accurate locations, which can be used to tie data together regardless of VPN or such.

Browsing habits and search keywords may be highly localized. Facebook interests and friends may be highly localized. Finally, shopping is tied to identifiable information and usually shared with third parties anyway, significant fuel for the shadow profile. Data Analysis would likely be able to see through your "fake Facebook profile" disguise, and VPN habits, and tie real data to your "fake" account. Eventually enough data is gathered to tell that a connection from an IP is over a VPN, and enough to tell where that data may have originated.

Unless a significant majority use a means of anonymizing their data, then process of elimination makes it possible to tie anonymous data with likely owners of that data.

FaceBook API

That is the whole point of the API, to give others your information.

Tens of Thousands of Facebook articles

on slashrot

teste

This is a Sample for comment test
http://www.urltesting.com