Facebook dev move won't stop rogue apps, say researchers

Site must use Apple-style approval process to stymie attacks, say security experts

Security researchers today said Facebook's new requirement that developers link legitimate accounts to their software won't stop rogue applications from infecting its users with adware.

On Wednesday, Facebook announced that it will now demand that developers verify a Facebook account to create new apps on the service.

"We're taking this step to preserve the integrity of Facebook Platform, ensuring that every application is associated with a valid and real Facebook account," Niket Biswas, an engineer and technical project manager on the platform engineering team, said in an entry on the Facebook developer blog .

Developers can establish they have a legitimate Facebook account by confirming their mobile phone number or adding a credit card to the account. Facebook requires the same confirmation for users who want to upload large video files.

Although Biswas didn't mention rogue Facebook apps, the move was clearly aimed at trying to stop cybercriminals from building bogus software that dupes users into downloading other programs, including pop-up spewing adware.

"That's not going to hurt [the criminals] one little bit," said Roger Thompson, the chief technology officer for antivirus company AVG Technologies, in an instant message. Thompson has tracked several of the attacks against Facebook users launched by hackers on three consecutive weekends .

"Facebook is entirely too open at the moment," Thompson added. "Anyone can be a developer, with no cost to them at all."

Rik Ferguson, a senior security advisor at Trend Micro, agreed.

"What guarantees are there that any Facebook account is 'valid and real' in the first place?" he asked in a post today on Trend's CounterMeasures blog. "Secondly, proving access to a credit card or mobile phone is a whole different thing to proving ownership. If criminals or scammers, who we must assume have ready access to disposable mobile numbers and/or stolen credit cards, attach some of these bogus credentials to an already bogus account, where does that leave us?"

Ferguson answered his own question a moment later. "It leaves us with a fake 'confirmed' profile which is once again free to post any application content they choose, and it leaves Facebook incident handlers continuing to play Whac-A-Mole with the scammers," he said.

Both Ferguson and Thompson said that the only viable move Facebook could take would be to mimic Apple's App Store. Software for the iPhone and iPad must go through a review and approval process before Apple deigns to stick a program on its e-mart.

"If Facebook really wants to turn around the security situation when it comes to malicious or rogue content, then the only effective option is an application approval process, such as the ones already in place over on MySpace or on the Apple App Store," said Ferguson.

Thompson had the same idea, though he didn't think it was feasible for Facebook . "I don't think they can do much more without going to the App Store model, which is contrary to their business [model]," he said.

But Ferguson countered. "The effort that Facebook incident handlers currently put in to tracking down and suspending the ever-increasing volume of rogue apps would surely be better channeled into stopping them from appearing in the first place," he said.

For three weekends in a row, Facebook users have faced rogue app-based attacks that plant adware on their PCs. This week, users have dealt with a string of so-called "like-jacking" attacks that spread links to malicious sites using Facebook's "Like" feature.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld . Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@ix.netcom.com .

Read more about security in Computerworld's Security Topic Center.

Tags appAppleadwaresecurityFacebook

Recommended

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)

Comments

Comments are now closed.

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?