After all the recent personal, medical and call data collecting scandals it seems like Facebook is not planning to leave the headlines. In the end of April, 2018 Trustlook has discovered 25,936 malicious apps that have been and still are using Facebook API’s.
Malicious app developers abuse the APIs to access information beyond user’s permission
Once the user logs into any app through Facebook it usually requests a permission to obtain necessary information from one’s Facebook profile for example name, email, location and etc. However malicious apps abuse this Facebook login permission feature and harvest more than just your basic credentials. A good example would be The Cambridge Analytica data harvesting scandal which affected 87 million Facebook users in order to use the collected information to allegedly help politicians influence the voters. Even though, after the event in 2015 Facebook has made some significant changes in its API policies and functions, but app developers we still able to obtain some information from the friend networks of people who used Facebook logins.
The issue with currently discovered malicious apps is that they can be leading to another Cambridge Analytica scandal. All the found apps had a high risk score of 7, which means that they can be recording user’s audio, taking pictures or making large amount of network calls even when the app is closed. Trustlook found these apps with their SECUREai App Insights software which claims to scan and provide more than 80 pieces of information for apps worldwide, including permissions, libraries, risky API calls, network activity, and a risk score.
Facebook is not the only platform with flawed APIs
Researchers made it clear that Facebook is not the only company with its flawed APIs embedded in malicious applications. Twitter, LinkedIn, Google, and Yahoo offer similar options to developers, and thus their user data faces similar exposure. Actually just a week ago Twitter sold data access to the Cambridge University academic who also obtained millions of Facebook Inc.
In an interview with Threatpost, David Ginsburg, the vice president of marketing at cybersecurity risk posture and compliance specialist Cavirin, said:
Even if one is selective on adding third-party apps, [understanding] the privacy and data policies require a Harvard MBA,” he said via email. “Using the new Instagram (a Facebook property) policies (as of April 19) as an example, the Terms of Use run to more than 3,000 words and is judged as ‘difficult to read.’ The data policy runs to over 4,000 words.
Facebook’s CEO Mark Zuckerberg mentioned that the company will be more strict to thousands of apps, and will hire additional 10,000 new cyber security and content moderation specialists this year. On the second hand, it is hard to say whether this plan will be successful because of the 2017 cyber industry report expecting a shortage of 1.8 million workers globally in the projected field. Whether or not this is true, Facebook should look into other options as well and try to fix the issue before the history repeats.
Discussions about further privacy protection tactics
Although cyber professionals agree that in order to achieve a better user privacy protection it should be done nationwide and all at once so that everything would get set to opt-out and users could re-opt their third-parties, this would be a huge inconvenience. What is more IT specialist came to the conclusion that the government should get involved by regulating social media personal data collection, yet the majority understands that government officials lack a lot of knowledge understanding the nuances of digital privacy and social media.
Despite government getting involved or not it is obvious that social networks should step their security game up before another major data-harvest accident happens.
Source: Threatpost.com
