Facebook Gifts, the new social gifting service launched by Facebook on Thursday, might encourage users to expose information like their home addresses, birth date, clothing or shoe size that could pose security and privacy risks, according to security experts.
Facebook used to have a Gift Shop application that allowed users to send virtual gifts in the form of images, but it was discontinued in August 2010. The revamped Facebook Gifts feature is the result of Facebook's May acquisition of mobile e-commerce app Karma and allows users to send physical gifts to their friends.
"Choose a gift, attach a card and send," Facebook said Thursday in an announcement on its website. "You can post your gift to your friend's timeline or send it privately. Your friend can then unwrap a preview of the gift and it will show up on their doorstep a few days later."
Facebook has partnered with many vendors in order to offer a large selection of gifts that includes stuffed animals, cupcakes, toys, coffee mugs, Starbucks gift cards and more. The company receives a percentage of every gift purchase.
Facebook Gifts will be rolled out gradually to users starting with those in the U.S, the company said. Users will have the option to send gifts from the birthday reminder panel on their news feeds or by clicking on a gift icon in a friend's timeline. The payment can be made before or after the intended recipient has accepted the gift.
Recipients will receive a notification when someone sends them a gift and can select the item's size, color or even swap it for another item of equal or lower price. They then have to input a delivery address or select from the ones already saved under their account.
The launch of the new Facebook Gifts service is good news for Facebook investors because it will provide the company with a new revenue stream and the feature might even prove popular with users in the long run. However, some security experts are concerned about its security and privacy implications.
"The amount of private data users are sharing on social networking sites already exceeds all security precautions," said Bogdan Botezatu, a senior e-threat analyst at antivirus vendor Bitdefender, via email Friday. "Making it so much easier for the user to add a number of addresses they can receive parcels at (including probably work or school addresses) would make it even easier for real-life criminals to gather information about a potential victim."
"The new information that might be shared by users is particularly dangerous in the case of account compromise," the Bitdefender security researcher said. Home addresses combined with other information commonly shared by users on Facebook like vacation dates, pictures of houses or news about recent high-value purchases, could make it very easy for burglars to select potential victims and plan raids, he said.
According to a 2011 survey performed in the U.K., 4 out of 5 ex-burglars believe that thieves are targeting homes using information gathered from social media websites.
In addition, stolen home addresses can also be used to craft more believable email-based scams. For example, parcel delivery emails that try to trick users into clicking on malicious links or opening malicious attachments are a common occurrence. Including the target's home address in such a message would likely increase the attacker's chance of success.
"There is strong potential for this [feature] to spark malicious, spam e-mails, like 'You have just received a Facebook Gift, please click here to redeem'," said Adam Levin, chairman and founder of Identity Theft 911, a company based in Scottsdale, Arizona, that provides identity and data risk management services. "We see instances like this all the time and the link included usually opens up to a website exposing the user to malware and spearphishing," he said via email on Friday.
"Because of this feature, more users may be apt to reveal their birthdays on their profile," Levin said. "Birthdays are often used to verify a customer's identity, so it's very valuable information for identity thieves. Anytime you provide information to complete the mosaic of your life, you're putting yourself in harm's way."
People's gift preferences could reveal what kind of products they like or their clothing and shoe sizes. It's not clear if Facebook collects this information or uses it outside of the Facebook Gifts service. The company did not immediately return a request for comment.
"There is one question we need to ask ourselves: how would our data turn against ourselves in the event our account gets breached and the information lands in the wrong hands?" Botezatu said. "Are we ready to live in an ecosystem where social networks know our names, our relationship history, phone number, email address, shoe size and, on top of that, where we live with pinpoint precision?"