Facebook Security

On the website of the University of Washington Computer Security and Research, they have posted a review on facebook security, which is worth reading for anyone with an account with that website. The essential features are these:

  1. Facebook is opening itself to problems from shoddy/malicious code, one example of this was 'secret crush'
  2. To use an application, a user exposes all of their confidential information (this is not news to me)
  3. If a friend has installed a malicious application they have exposed all of my information

The latter is a real problem, some of my contacts have hundreds of applications for no apparently good reason - any one of which could be a spam harvester. I know this as I often get invites to install some obscure application which routinely ignore as I have no wish to expose my account for a five minute wonder application - however I had not realised that everything except for my friends' information was already exposed by the act of my contact having this application installed.

Fortunately there is an (obscure) fix. You can limit how much information is exposed to applications that your friends have installed by going to an obscure facebook options page. I have no idea how to click into these settings within facebook, they seem to make it tricky to manage account security, indeed, it's probably not really in their interest to allow people to lock things down.

The summary of the article is this:

Although Facebook has some provisions to protect users, applications are an easy way to sidestep any security measures put in place by Facebook.

If I were you, I'd limit the amount that you expose to applications your friends have installed, and remove any applications you don't need - the latter will also make your whole experience that bit more efficient. You can remove applications with this settings page.

Whilst you're at it, you should do is to control who can see your stuff and separate your contacts into 'friends' and 'people I know on facebook'. The latter do not need to see all of your details. You should also give some thought into what is visible to someone who searches for your name.