Facebook worm.

[totherme]

I just got hit by a facebook app worm

Comments

[johnckirk]

I wrote about Facebook apps in November

[totherme]

I agree with the least privilege thing - a smarter and finer grained system might help. I don't know how much it'd help, since many users aren't likely to be able to distinguish between the different levels of permission they give to different apps, but I think it'd at least help a bit.

Yes, the app author isn't anonymous. What I was complaining about above was that the app author wasn't immediately obvious to me at the moment I was clicking "Yes, give permissions to this app". On my android phone whenever I install an app, I get a screen which says "the app called X, written by Y wants permission to do Z". If Y is google, then I'm fairly confident it's not malware.

And yeah, I noticed that I wasn't able to send a single message to everyone that the worm notified. The limit on the number of people that can be notified at once seems to be higher than the number of people that can be messaged at once.

[susannahf]

The apps may not be anonymous, but FB seem to do little about apps that are known to be hacked (e.g. Farmville was "outed" as as doing some rather dodgy things recently and yet FB didn't seem to respond in any obvious way - certainly Farmville is still available)

[totherme]

One fun option might be for facebook to prominently show reviews by people on your friendslist when an app's asking for permissions. That way anyone who was thinking of giving perms to "Like" would have my "It's a worm" review staring them in the face.

And of course, that's not even a "security measure" - it's a handy feature that you might want anyway.

[elvum]

Ditto Mafia Wars, no?