Do Facebook Application Settings Put Users At Risk?

A new article published by CNet yesterday highlighted a report which suggests some of Facebook’s application settings put Facebook users at risk. The source of the issue is a relatively recent addition to the platform: extended permissions. Extended permissions are a feature within the Facebook Platform in which developers can request ongoing access to user information without the users interacting with an application again. So are users at risk? Possibly, but we explain how to protect yourself in this article.

The Introduction Of Extended Permissions

As Facebook has evolved their platform, the company has slowly cut down on the number of “viral” channels in order to protect users from application spam. While users have been increasingly protected on the Platform, developers have complained that Facebook has been cutting down on the channels through which they can communicate with users. Being able to communicate with users is a fundamental selling point of the Facebook Platform and as such Facebook took steps to improve those channels.

Through the use of an “Extended permissions” feature, users could grant applications access to a variety of personal “integration points”. Whether it was permission to email a user, permission to post on their wall, permission to update their status automatically, or something else, extended permission gave the user control over what developers could do. Extended permissions effectively appeased developers who wanted to continue to communicate with users, however users weren’t educated on these new features.

Should Facebook do more educating about the feature? A quick search for “Facebook extended permissions” in Google shows up a list of developer sites and forums, not pages which educate users about it. It may simply be because nobody has taken the time to write about it, or because users don’t care: they just want access to an application. That’s a point which is up for debate, however it’s important to understand that these features exist.

Room For Abuse

As Facebook has iterated on the application authentication process, it has become easier for applications to prompt users for permissions which grant the developers a large amount of access. For example, an application can prompt you to grant the developer ongoing access to your Facebook wall/stream, enabling them to publish stories whenever they’d like. While Facebook’s Platform terms require a user to take action before a story is published, the report published by CNet suggests that malicious developers can exploit these features.

So what does that mean? In theory if you visit an application and are prompted to grant extended access to various components of your Facebook profile, you are creating the opportunity for abuse by the developer. As the report points out, one form of abuse would be posting malicious links to your profile without your approval. While Facebook pursues those developers who abuse the system, it is more of a reactionary step. In other words, users can become victims before the developer gets banned from Facebook.

While I believe that you can’t protect ignorant users, there’s practically no documentation explaining this functionality to users so in theory 99 percent of Facebook users are “ignorant”. The only documentation on Facebook I could find for users was in the developer area and is briefly referenced in the Facebook help section.

How To Protect Yourself

So to the Facebook users who still don’t understand Facebook applications and “Extended Permissions”, here are a few things you should keep in mind:

  • Applications cannot require you to grant extended permissions – Facebook applications cannot mandate that you grant extended permissions in order to use them. If they do, you should simply not use those applications. While Facebook is enabling developers to require access to emails once Facebook rolls out email access tomorrow, developers cannot require that you grant access to your wall, status, or anything else on an ongoing basis.
  • Delete any applications which abuse your permissions – Do you keep seeing posts show up on your wall which you didn’t authorize? If the source of those posts are applications, you should delete them from your account. While Facebook still has a wall spam problem, you can typically limit most of it by removing specific applications. Alternatively, if you’d like to keep an application but limit their access, you can visit the edit applications page, and modify each application’s settings from there.
  • Be Aware – The best thing to do is simply be aware of what’s being posted to your profile and your friends’ profiles on Facebook. While most postings have become authorized by users, a large volume of content remains to be unauthorized.