Skip to navigation
   
Simon Bisson & Mary Branscombe's Blog
RSS

Stay out of my inbox

By Simon Bisson & Mary Branscombe in Editorial

Posted in Security on September 28, 2009 at 4:16 pm

Permalink | Author Profile

Is this another Beacon moment? Keeping apps out of the Facebook inbox is good security. Even though the new Facebook plan to give apps access to the contents of user inboxes is restricted to whitelisted apps, that doesn’t mean they’re safe apps. Despite Google’s airy claims, just because something runs online, in the browser, does not mean it is safe (I’m still boggling security professionals with the claim by the Google gears team at Google IO that “everything in the browser is inherently safe”). Whitelisting means the app isn’t only malicious, but it doesn’t guarantee it’s not vulnerable.

If you’ve ever spent time drilling into the Facebook APIs (and the FBML language) you won’t be surprised at just how much data a not-so well-behaved application can harvest and take back to its own servers. Sure, it helps build more complex games and powers the viral explosion of memes across Facebook, but it’s a whole heap of security violations just waiting to happen. Yes you have to opt-in to every request, but ticking boxes and clicking OS is what we’ve been doing on Facebook for the last couple of years. Why change your habits now?

And making inbox access opt in doesn’t make it safe. We’ve trained the monkey to click OK on just about any dialog box if what the dialog offers is tempting enough - or if the dialog box is in the way of what I really want to do. Put a dialog box between me and my plan to dash off a quick update as I jump in the taxi to the airport and I might not read that dialog with the same due care and attention you were counting on.

And Facebook is full of career-limiting, security-breaching detail. Bank security questions? I bet I can answer them if I can see what memes you’ve been answering. Last three things you bought, first pet, second school you went to? There’s a meme for that. What’s in your inbox that you wouldn’t want posted on some random Web site?

Inbox access is the latest opt-in feature for apps; but they can do a lot more than throwing sheep…
I’ve been waiting for the Google backlash for a couple of years now; the blanket promise ‘not to be evil’ is no replacement for a thorough security lifecycle and privacy policy. Facebook’s Beacon advertising obviously didn’t make people too worried; the recent collection of ‘resignation by incautious Facebook status update’ proves that. Facebook users want to share; it’s up to Facebook to make sure that the platform doesn’t turn that enthusiasm into a threat.

There’s a petition against app inbox access over at http://www.keepmyinboxprivate.com/?ref=nf, which takes you in turn to
http://apps.facebook.com/keepmyinboxprivate/; ironically, the petition itself is an app that asks if it can publish a link to the petition on your Facebook Wall.

–Mary

12345
Rated: 60% (1 votes)
Loading ... Loading ...

Previous Post | Next Post

 
 
Comments

Trackback by Carrie Caires - February 9, 2012 on 5:33 am

greenpeace tee shirts…

[…]well as fencing leader Per Henrik Ling (1777-1839), who examined massage on China[…]…

Trackback by Mirella Carvett - February 9, 2012 on 8:31 am

will smith son…

[…]a central factor of passe-temps stroke, physiotherapy, osteotherapy, anxiety leadership and relaxation therapy.[…]…

Make a comment

* required

* required

We stop spam using reCaptcha.
Type the words below and click Submit Comment.

   
Tag cloud

networks SSD cloud computing outlook QWERTY evernote RAZR windows 7 optical interconnects IO ClipMate radeon Gartner information rights management disk EMC international roaming citrix Internet Explorer 8 yahoo TouchSmart CUDA microsoft research distributed computing verdana MRDA ATI colossus community ikea Mark Hurd sun management legacy calit2 HMT Hp 2710p acquisitions green IT service oriented enterprise mobile working camera mobile network Ray Ozzie Mono UMPC HTC emulator design data loss prevention NVIDIA Dopplr MING power fingerprint scanner safend IT automation direct access demo social engineering OQO Facebook installer conferences office politics Tombstone Objects Gears greenplum appstore Moonlight dual boot Secunia mapping quiz data centre transformation identity theft ballmerbot legislation pen computing Windows Mobile security paradox project Mercury BitLocker magic applications p2v 965 network wildfire Volume Shadow Copy goview turing Large Hadron Collider HSDPA downturn cam business model how do I get the back off? hibernation Palm fire spam fighting storage database display cloud service google online applications switch wubi augmented reality T-Mobile terabytes flash drive hyper-v identity metasystem security theatre smartphone web 2.0 expo it pro no signal AuthenTec logitech atom task bar data Crossfader aws hierarchical temporal memory data loss Express Gate HSPA Istanbul NGSCB 64-bit data tariff OFCOM vulnerabilities target O2 mms 2009 ribbon lockdown CardSpace mainframe clean install Verbatim Google Treo Pro mscape old software Opsware ProCurve future in review designer MacBook Air setup power saving Greasemoneky Adobe FUD CTO BBC business technology automation regulations Embarcadero Microsoft .NET moscow fingerprint cellcrypt Corsair migration iPass flex maps SP1 support Nuance mobile windows server 2008 r2 office Wimbledon GPU Dell installation gabriola bletchley park Delphi enterprise beta test trends multiple monitors OpenID SapphireSteel O'Reilly performance Fire Eagle bombe CERN Clear RX mobile broadband regulation Chrome pixetell usb apps server sprawl Internet information national museum of computing moblin hardware Opteron Netscape Magny-Cours virtualisation cold fusion merger ucsd Loki ec2 VSSAdmin Asus mobile Linux electricity price wave Vista adfs toshiba geneva licensing fibre Silverlight TSA Ruby Internet Explorer CES Web 2.0 cosmic rays system management power supply appzero venture capital screencam lost server backhaul natural interface keyboard Vodafone BES analytics traffic CIO visualisation education oracle IDF MacWorld 2008 desktop. PC WinHEC public cloud Palladium disaster recovery 3G productivity AskEraser voice telecoms Mini-Note Acrobat Pro machine learning Protected View GPL Bing meaning power cuts wireless USB CPU Windows Live RIM AIR co-processor flash RBL amazon virtual desktop development docking station Beacon DOS IM SBS accelerator drivers malware RIA deperimeterization WEI windows software Netscan application compatibility Qualcomm d2c BT lawsuit MIX08 ipsec benchmark DSL Intel open remove back isps forensics isp utility 2009 web wes RSS search email workflow Previous Versions ruggedized system center developer mobile ofcom network patent Credentica Windows Server fault geocaching HTML 5 city Smartbook phone management server bug html g-1 eu navteq secure netbook security gameboard identitity Safari MIX pre-boot hold music IT policy Hugh Thompson insert SIM Skyfire encryption cables ports numbers dvi private cloud vmware battery life tennis DisplayLink nvision08 infrastructure Tim Berners-Lee screen annotation DOSBox Jeff Hawkins griffin troubleshooting Tablet Kiosk police media center routing claims Opera user interface Xen Mozilla AMD Bill Gates 2.0 netiquette wifi Ruby On Rails android futura NAS T9 cracking MWC culture geotagging mobility teched exchange xT9 Sony codec open source Trampoline mash-up todo list catalyst christmas transcoding bandwidth iPhone business intelligence IIW2008b Wyse case phone settings ontier Tom Hogan Location business technology optimisation IT value Numenta media user experience Tablet PC interoperability Google IO HP market share Toshiba Portege R500 london Bill Cheswick accessories BlackBerry browser innovation GPS LiveID Lenovo exabytes context ipv6 bugs cisco webkit icons consolidation microsoft security essentials ultraportable TechEd 2008 offload data centre EEE ubuntu Girl Geek Dinners active digitiser competition Jeff Jones training g-2 Itanium mythbusters green printing OEM streaming media WWW Quest WPF amherst bolt Windows 7 vs Windows Vista tablet demo09 Reqall Google Spreadsheets patch Tuesday ANR mysql Frauenhofer cloud netbooks semiotics video Apple ADFS 2.0 IT transformation privacy IBM web2expo hdmi SMB 2 upgrade congestion charge Nokia bbc iplayer Ask.com high performance computing Seagate politics mobile data tariffs processors uninstall Tripit Active Directory parallel computing utilities Enterprise 2.0 laptop Eee PC biometrics conference navigation etech DLP firewall Google Sets Pal anti-virus gamer search disk space october tele atlas collaboration SKU geek tourism rtm Trolltech timezones rc anti-trust voice recognition history NexT thin client hard drive business continuity credit crunch RSA 2008 thermo fonts Firefox people Windows Server 2008 i-mate macbook relocation Live Mesh gaming pgp information cards Xobni Visual Studio macro monitor twitter office 2010 beta instant messaging Barracuda social networking anti-patterns hp microsoft research business hacking spam virus LHC Java winhec2008 bea deborah adler images dual display enterprise architecture Salesforce robot rich client advertising Motorola Trend Micro control panel MAX whitelist Linux connectivity M&A
Advertisement

   
Archives

   
Most commented posts

   
Highest Rated Blog Posts

Advertisement