Los Angeles — Just when it seemed that the conflagration over Facebook privacy issues was cooling off, Facebook has stoked the fire once again. Over the weekend, the social-networking champion (four Golden Globe awards winner) updated its developer blog with a post that it had modified its platform to make users’ home addresses and phone numbers accessible to developers.
A newly unveiled feature that allows Facebook apps to collect user addresses and cell phone numbers could easily be misused by scammers. The post subtly titled: “Platform Updates: New User Object fields, Edge.remove Event and more.” Perhaps a more fitting title would have been, “We are Giving Developers Access to User Mobile Phone Numbers and Home Addresses.”
Obviously, there are legitimate uses for this sort of access to user data, but the drawback for users who are not careful — very careful — seem to far outweigh the benefits. The move, according to a security expert “could herald a new level of danger” for Facebook members.
Facebook is not just circulating this information into the wild; it is adding it to the company’s “User Graph object,” or the permissions required to install an app.
“We are now making a user’s address and mobile phone number accessible as part of the User Graph object,” wrote Facebook’s Jeff Bowen. “Because this is sensitive information, we have created the new user_address and user_mobile phone permissions. These permissions must be explicitly granted to your application by the user via our standard permissions dialogs.”
“Please note that these permissions only provide access to a user’s address and mobile phone number, not their friend’s addresses or mobile phone numbers,” says Bowen.
Meanwhile, security expert Graham Cluley challenged the company to task for even allowing the information to be put in the developers’ domain. “The ability to access users’ home addresses will also open up more opportunities for identity theft, combined with the other data that can already be extracted from Facebook users’ profiles,” Cluley, a security consultant at antivirus firm Sophos, wrote in a post on Sunday. “You have to ask yourself: Is Facebook putting the safety of its 500-plus million users as a top priority with this move?”
He however continued, that even though the information will only be accessible when a user gives permission, “there are just too many attacks happening on a daily basis which trick users into doing precisely this.”
To sum it up he said, “Facebook is already plagued by rogue applications that post spam links to users’ walls, and point users to survey scams that earn them commission — and even sometimes trick users into handing over their cellphone numbers to sign them up for a premium rate service,” Cluley wrote in a blog post.
Furthermore, last year, there were reports that Facebook user IDs were being sent to third parties. Facebook initially proposed encryption as a possible workaround, but later opted to embed a user ID in a HTTP POST body, which means it will not be exposed in any HTTP referrer header at all; encrypted or not.