The BBC Writes Application That Steals Personal Info From Facebook

Feel wary about giving applications access to your Facebook page? Worried one of those quizzes or games might be maliciously harvesting your data? You were right to worry. The BBC had the same idea, so they decided to write a program to do just that. And it worked. Not only did it steal the data of Facebook users who installed the application, it also victimized all of their “friends.”

From the BBC:

We wrote an evil data mining application called Miner, which, if we wanted, could masquerade as a game, a test, or a joke of the day. It took us less than three hours.

But whatever it looks like, in the background, it is collecting personal details, and those of the users’ friends, and e-mailing them out of Facebook, to our inbox.

When you add an application, unless you say otherwise, it is given access to most of the information in your profile. That includes information you have on your friends even if they think they have tight security settings.

Did you know that you were responsible for other people’s security?

Facebook responded by saying that they remove applications that violate their terms of use.

‘Identity’ at risk on Facebook [BBC]

(Thanks, T.J.!)


Edit Your Comment

  1. Rectilinear Propagation says:

    So it doesn’t matter how well you protect yourself if you’re friends with people who don’t care about protecting their information.


  2. iEddie says:

    I don’t use sites that violate my terms of use either.

    What a joke.

  3. mdoublej says:

    Just never saw the point of sharing everything online. Guess I just missed the “Hey Look at ME!!!” generation. Now it seems even sillier.

  4. azntg says:

    Now that’s some proactive protection!

  5. Angryrider says:

    Brilliant BBC. You wanted to test something out and it worked. Now you know what our aim names and email addresses are. If real addresses are included, I’m saying that some Facebook users are morons.

  6. AstroPig7 says:

    Facebook’s non-response is the best part.

  7. 44 in a Row says:

    I know there’s an option in the privacy settings to block all of your data from being shared by “Facebook API” programs… I wonder, though, if that would still protect you if a friend installs a malicious application. Regardless, I have that option checked.

  8. dreamcatcher2 says:

    As a student who is writing my second facebook application, I can testify that the BBC’s experience is typical. When you add a facebook application, it can access an enormous amount of data. However, two points: Facebook puts that annoying screen that asks you to verify each time that you surrender your data to the application when you add it, and Facebook’s data security is phenomenal. Information which is not authorized to be viewed by applications just isn’t available, and information blocked from a user will not be available to the application through that user.

    Bottom line: as always, information on public sites should always be considered public. If you’re paranoid, make use of the security controls available; Facebook gives users an extraordinary level of control.

  9. dariasofi says:

    Just when I thought facebook sold out, they keep selling out more and more…

    Social “networking” rocks!

  10. dreamcatcher2 says:

    @44 in a Row: Yes, it protects you. It’s a problem I’m trying to get around in an event-related application I’m currently developing – I don’t want all of its users to need to add the application to use it, but it’s much harder to keep control of things when the data is unavailable.

  11. stanfrombrooklyn says:

    Facebook is a joke. Fun if you’re 19 but pretty useless once you realize you don’t care if your boss is a vampire or a werewolf.

  12. Smitherd says:

    @Rectilinear Propagation: I’ll beat the haters to it: “Sounds like you need to get better friends! Har, har, har!”

    Seriously, it’s retarded that just because your friends aren’t as mindful as you, that you are then at risk.

  13. Joined fbook back when it was just for colleges-and only a handful of colleges at that. It was definitely better.

  14. rmz says:

    @generalhousewifery: Congrats?

  15. blackmage439 says:

    Fraudbook has really fallen into the sewage pond. Allowing these third-party apps access to your personal info is asinine to begin with. What’s that, Facebook? Oh it’s the return of BEACON. All ur info iz belong to us.

    And here I wonder why I manually deleted every single thing on my account before “deactivating” it… Anyone who still has a profile, be warned. Just rid yourselves of this crap while you still can. Remember that party you went on drunken rampage? The Principal of your school will see it in ten years when you become a teacher. Kiss your career bye-bye.

  16. rmz says:

    Anyway, this is why I removed all information that I wouldn’t particularly want made public a long time ago. If one of my friends needs my physical address or phone number, they already know it.

  17. goodywitch says:

    Don’t post anything on the inter-tubes that you wouldn’t be willing to wear on a T-shirt while walking downtown. Even with privacy settings.

    I’ve said it to my friends, and I’ll say it here: you don’t have to worry about Big Brother coming to get you, it’s your Little Brother (friends) that you have to worry about. Just look at webshots.

  18. Moosehawk says:

    After I read this, I cleansed my facebook by removing all of my friends.

  19. SVreader says:

    Now I don’t feel bad about ignoring all my friends’ requests to add various apps.

  20. theblackdog says:

    I got this e-mail from Facebook telling me that someone who just joined happens to work for my employer, and I just might know them, so I should friend them.

    I’m considering deleting my account, this person probably has no clue facebook spammed me to become her friend.

  21. P_Smith says:

    @AstroPig7: Facebook’s non-response is the best part.”

    Farcebook’s response sounds like some banks who refused to refund money to customers. People were robbed at ATMs, some on surveillance cameras, and the banks’ responses were, “It was a legitmate transaction, so what happened after isn’t our concern.”

    This sounds exactly the same to me.

  22. khiltd says:

    The Facebook API is one of the biggest jokes I’ve seen and the fact that it has been accepted is a testament to the experience level of your average PHP developer.

  23. drjayphd says:

    @theblackdog: Yeah, they’ve done that to me on a few occasions. Thankfully, just people I went to school with who went to the same high school as me, so that’s fine.

    But Facebook’s REALLY not making me feel good about any hopes of them keeping my info secure. If only our biggest problem was Scramble constantly asking us to invite our friends, even if you just want to see your current games.

  24. fryfrog says:

    I’ll be honest, I don’t get this. Every time you install an application, you are shown a page with:

    “Know who I am and access my information”
    “Put a box in my profile”
    “Place a link in my left-hand navigation”
    “Publish stories in my News Feed and Mini-Feed”
    “Place a link below the profile picture on any profile”
    “Send me notifications via email”

    This happens *every* time you install an application. I personally un-check a few boxes for every application I install.

    How is anyone *surprised* when you leave the “Know who I am and access my information” box checked that an application has access to (surprise?) your information.

    Can you imagine how lame some of the apps would be w/o this kind of access? Sure, you can play Scrabulous w/o providing your friends list… but what about the apps that stick your friends on a map or on a wheel. If you didn’t have access to this, they wouldn’t exist.

  25. ablestmage says:

    Simple soltution — only put as much information online as you want anyone else to know. Simple as that. If you’re trusting all of your crucial financial information to the intarwebs, what can I say? It’s your fault for putting it all up there in the first place, Sherlock.

  26. magic8ball says:

    @fryfrog: Unfortunately, I have yet to come across any Facebook app that will let you NOT give it your information. You can uncheck all the rest of the options, but not the first one. If you do, the application just doesn’t install.

  27. fryfrog says:

    You are right, it just happened that the first application I tested (Scrabulous) does offer that box.

    I assume the applications that “require” your information simply don’t have that option.

    Color me wrong!

  28. drjayphd says:

    @magic8ball: Yep, just went through and unchecked every option I could, but I can’t prevent apps from accessing my name and friends list. Que pain.

  29. James Smith João Pessoa, Brazil says:

    With all the bad publicity Facebook and other social sites have received about privacy issues, anyone that even signs up for one is essentially saying, “Do what you will. I have no interest in my security or that of anyone else, either.”

    I do not belong to any social networking site. But I know I am strange. I prefer real friends instead of “cyber-friends”.