Facebook f8 Changes Raise Five Serious Security and Privacy Concerns

September 2011


Facebook Changes to Open Door to Interactive Scams, Bring Twitter-Like Problems

Facebook’s planned changes from this year’s f8 Developer Conference, while increasing interaction between users, could also flood the site with Twitter-style spambots and increase targeted attacks.

The last few weeks have been hot for Facebook users. After updating Privacy Controlsand silently pushing the Smart Lists, the f8 pushed usability and privacy to a new level: Subscribers, News Ticker and Wallfacelift,  and the star of this f8 conference, the Timelineand the new Open Graph features.

While these new features will increase interaction between users, privacy and security issues were pushed to new limits. Here are the five main concerns.

1. Smart Lists will push users to share more info publicly ... supplying the perfect weapon for targeted attacks.

Smart List encourages people to complete their profile with job, education and work projects. Every time somebody creates a list with colleagues from a specific job, they tag this in their profile. Of course, this is generally not confidential information, and the users have the final decision in approving the info.

But having this information public and indexable will make it easier to create high-level targeted attacks. High-level attackers find out exactly who is working in a specific company, their job and, more importantly, what project they are working on. And we are talking about 800 million users.

2. Subscribers could increase the number of spambots, just like on Twitter.

The main difference between Facebook and Twitter attacks is that Facebook has many hijacked accounts while Twitter is inundated with spambots. With the new subscriber feature, Facebook is open to Spambots and "how to get more subscribers" schemes. Copying Twitter features may also mean importing Twitter scams.

3. Everything you’ve ever shared on Facebook is now available and easy to browse.

The Timeline is a revolution of usability. But it's also the open story of our life. If a user doesn't change the default settings to restrict who can see the wall, this story will be available to anyone: friends, photos, places you've checked in, relations and much more. It was available until now, but not so easy to use.

4. Health is now social... and public.

The Facebook timeline considers health information social. Now it’s easy to share health-related information such as breaking a bone, undergoing surgery or overcoming an Illness. Probably most disturbing point here is that this information is set to "Public" by default.

5. Widgets ... the open door to interactive scams.

Facebook introduces the "widget" concept to the new timeline. It lets developers take action on various objects. This moves the interaction to a whole new level. Until now, everyone who had an application installed interacted with his friends inside the app. Now, the app is on the user wall, so anyone who interacts with the user profile interacts with the app.

Considering the short lifetime of spammy apps, this could boost their efficiency. Of course, this feature is just starting, so it will likely take a while until the scammers exploit it. But every successful viral feature has eventually been exploited by social media scammers.

With more and more information in the profile, the account hijacking problem has become increasingly important. Facebook is doing a lot in eliminating noise, but has taken no important step in security. After the large number of problems related to Facebook Security, many expected an announcement regarding  session hijacking on unsecured connection, a notable security issue for many Facebook users.

All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.


Share This ON: