Skip to navigation
   
Simon Bisson & Mary Branscombe's Blog
RSS

Stay out of my inbox

By Simon Bisson & Mary Branscombe in Editorial

Posted in Security on September 28, 2009 at 4:16 pm

Permalink | Author Profile

Is this another Beacon moment? Keeping apps out of the Facebook inbox is good security. Even though the new Facebook plan to give apps access to the contents of user inboxes is restricted to whitelisted apps, that doesn’t mean they’re safe apps. Despite Google’s airy claims, just because something runs online, in the browser, does not mean it is safe (I’m still boggling security professionals with the claim by the Google gears team at Google IO that “everything in the browser is inherently safe”). Whitelisting means the app isn’t only malicious, but it doesn’t guarantee it’s not vulnerable.

If you’ve ever spent time drilling into the Facebook APIs (and the FBML language) you won’t be surprised at just how much data a not-so well-behaved application can harvest and take back to its own servers. Sure, it helps build more complex games and powers the viral explosion of memes across Facebook, but it’s a whole heap of security violations just waiting to happen. Yes you have to opt-in to every request, but ticking boxes and clicking OS is what we’ve been doing on Facebook for the last couple of years. Why change your habits now?

And making inbox access opt in doesn’t make it safe. We’ve trained the monkey to click OK on just about any dialog box if what the dialog offers is tempting enough - or if the dialog box is in the way of what I really want to do. Put a dialog box between me and my plan to dash off a quick update as I jump in the taxi to the airport and I might not read that dialog with the same due care and attention you were counting on.

And Facebook is full of career-limiting, security-breaching detail. Bank security questions? I bet I can answer them if I can see what memes you’ve been answering. Last three things you bought, first pet, second school you went to? There’s a meme for that. What’s in your inbox that you wouldn’t want posted on some random Web site?

Inbox access is the latest opt-in feature for apps; but they can do a lot more than throwing sheep…
I’ve been waiting for the Google backlash for a couple of years now; the blanket promise ‘not to be evil’ is no replacement for a thorough security lifecycle and privacy policy. Facebook’s Beacon advertising obviously didn’t make people too worried; the recent collection of ‘resignation by incautious Facebook status update’ proves that. Facebook users want to share; it’s up to Facebook to make sure that the platform doesn’t turn that enthusiasm into a threat.

There’s a petition against app inbox access over at http://www.keepmyinboxprivate.com/?ref=nf, which takes you in turn to
http://apps.facebook.com/keepmyinboxprivate/; ironically, the petition itself is an app that asks if it can publish a link to the petition on your Facebook Wall.

–Mary

12345
Rated: 60% (1 votes)
Loading ... Loading ...

Previous Post | Next Post

 
 
Comments

Trackback by Carrie Caires - February 9, 2012 on 5:33 am

greenpeace tee shirts…

[…]well as fencing leader Per Henrik Ling (1777-1839), who examined massage on China[…]…

Trackback by Mirella Carvett - February 9, 2012 on 8:31 am

will smith son…

[…]a central factor of passe-temps stroke, physiotherapy, osteotherapy, anxiety leadership and relaxation therapy.[…]…

Make a comment

* required

* required

We stop spam using reCaptcha.
Type the words below and click Submit Comment.

   
Tag cloud

patch Tuesday fonts secure wave camera .NET trends MacBook Air numbers parallel computing web2expo RSS search Vodafone data centre transformation wes wireless USB cellcrypt Quest pgp apps innovation IT automation adfs patent analytics Motorola flash upgrade mobile working rich client dvi telecoms Tombstone Objects AIR media ipv6 exchange pen computing DOS mainframe Toshiba Portege R500 Adobe backhaul identity metasystem Palladium WWW Salesforce routing Barracuda Jeff Jones service oriented enterprise advertising teched NGSCB T-Mobile virtualisation geocaching SBS DLP fibre Windows Server 2008 macbook Seagate safend user interface productivity Ruby On Rails WEI community transcoding Location police BitLocker ClipMate g-2 context international roaming oracle BT lost server timezones griffin semiotics cables project legacy developer Pal windows Internet mobile laptop enterprise bugs monitor wubi benchmark encryption Windows Server SP1 mysql tennis Nokia Safari smartphone futura hyper-v 64-bit SSD Credentica future in review ucsd deperimeterization emulator power saving citrix appstore BES Ask.com credit crunch optical interconnects mobile data tariffs Mini-Note malware whitelist collaboration aws lockdown geek tourism BlackBerry dual display natural interface processors Numenta congestion charge Facebook disaster recovery power supply regulation VSSAdmin moblin Opera TechEd 2008 Netscape uninstall designer toshiba conference phone management netbook instant messaging atom FUD display Eee PC politics IT value business continuity cisco business technology optimisation troubleshooting mobility Smartbook disk space HTML 5 IIW2008b applications HTC netiquette windows 7 voice recognition macro education distributed computing amazon Ruby isp office business intelligence codec windows server 2008 r2 IBM Opteron IT transformation keyboard Xen RIM insert SIM outlook user experience amherst mms 2009 Gears navteq mscape merger training Linux calit2 hard drive NAS virtual desktop Firefox EEE national museum of computing rc Istanbul system management christmas Itanium maps firewall cold fusion spam fighting biometrics fingerprint beta data loss prevention hierarchical temporal memory O'Reilly Bill Gates android evernote hacking people Apple OFCOM Treo Pro task bar no signal Microsoft d2c hp microsoft research utilities setup Netscan acquisitions history bea terabytes GPL GPS enterprise architecture isps virus CTO anti-virus data centre CIO geneva data bbc iplayer icons drivers bletchley park Clear RX competition anti-patterns city Fire Eagle switch co-processor anti-trust phone settings ec2 conferences Enterprise 2.0 RIA geotagging CES search accessories Google Spreadsheets cam hibernation Jeff Hawkins Google remove back beta test performance Wyse Tablet Kiosk LiveID case Visual Studio CardSpace open source consolidation licensing system center EMC Internet Explorer yahoo market share NexT hdmi Protected View WPF active digitiser london Active Directory ipsec Qualcomm Vista Acrobat Pro screencam legislation exabytes information cards WinHEC tablet annotation Frauenhofer offload development fault Trend Micro quiz data loss ports iPhone rtm hold music logitech electricity price HP vmware bombe g-1 microsoft research power cuts public cloud Girl Geek Dinners fingerprint scanner BBC Gartner T9 streaming media verdana appzero Mercury i-mate cloud computing claims Greasemoneky data tariff Trampoline software ikea IM IDF design Opsware TouchSmart bug infrastructure dual boot mobile broadband HSPA sun installation cracking Volume Shadow Copy server sprawl direct access docking station business technology automation pre-boot social networking fire web 2.0 expo storage SKU traffic management RAZR power OpenID MWC wifi mobile Linux pixetell Intel DSL ANR Bing catalyst Palm 3G TSA tele atlas business Trolltech Tom Hogan MING how do I get the back off? NVIDIA Express Gate vulnerabilities Tablet PC Google Sets voice AMD navigation RSA 2008 Dell magic Beacon gaming utility Asus Mark Hurd winhec2008 MAX flash drive visualisation SapphireSteel 965 turing mash-up Hugh Thompson web OEM IT policy robot high performance computing green printing p2v Windows Live Hp 2710p greenplum gabriola Previous Versions machine learning Large Hadron Collider october identitity mobile ofcom network O2 business model ATI ADFS 2.0 moscow MRDA Bill Cheswick demo hardware culture target Loki application compatibility webkit Tripit microsoft security essentials Chrome radeon relocation CPU gamer office politics Delphi multiple monitors Xobni eu Mono HMT mapping identity theft MIX08 M&A workflow network networks Magny-Cours UMPC cloud old software DOSBox HSDPA server Tim Berners-Lee Ray Ozzie Embarcadero mobile network nvision08 QWERTY browser Moonlight Nuance Skyfire open ProCurve Crossfader xT9 forensics ruggedized Web 2.0 ubuntu ribbon images downturn AuthenTec migration Reqall usb netbooks Mozilla information rights management 2009 security support ontier AskEraser deborah adler office 2010 meaning bolt Corsair OQO colossus private cloud Google IO DisplayLink twitter CERN lawsuit augmented reality database 2.0 SMB 2 venture capital battery life MIX accelerator media center etech html video Sony RBL Lenovo social engineering flex ultraportable green IT it pro information iPass privacy cosmic rays disk CUDA Windows Mobile thermo screen mythbusters spam security theatre cloud service google online applications GPU clean install Secunia bandwidth LHC installer Windows 7 vs Windows Vista connectivity Dopplr desktop. PC MacWorld 2008 security paradox control panel Wimbledon ballmerbot regulations todo list Internet Explorer 8 Verbatim interoperability thin client Live Mesh Java wildfire gameboard Silverlight IO email demo09 goview
Advertisement

   
Archives

   
Most commented posts

   
Highest Rated Blog Posts

Advertisement