After the release of FireSheep, Facebook took an important step to help protect Facebook user accounts by allowing users to choose to keep an encrypted connection as long as they used just Facebook and intelligently designed apps.
Savvy users immediately discovered that if they tried to use grossly insecure apps such as Farmville, 21 Questions, or a variety of apps by Rockyou then you were switched back to an unencrypted connection.
Having an unencrypted connection means that if you are on an unsecured network, such as those frequently found in coffee shops, airports, and many other public places, then another person can mess around with your account and do things like post messages as if they were you. In fact, they are actually logged into your account for the session, but they don’t have your password, so there are some security features they can’t change. Still it is enough access that they can cause a lot of damage.
Facebook has addressed the problem by making it so that if you choose to use an unencrypted connection, and then use an insecure app then the next time you log out and back on your preference will have been remembered and your connection will be encrypted again. This is a great step.
Kudos to Facebook, and shame on the careless developers who have not fixed their apps to afford you a safe Facebook session. If you want to use an encrypted Facebook session, follow the instructions at Change Your Facebook Account Settings for Better Privacy and Security.
If you go to use an app and are prompted to switch to HTTP, then refuse to. If it means you can’t use the app then email the developer and tell them that you won’t use their app until they respect your privacy and security.
The Facebook App Hall of Shame includes:
Cityville – 89 million users per month potentially subjected to account compromise.
Texas HoldEM Poker – Subjects 36.9 million users per month to compromise.
Bandpage – Subjects 21.56 million users per month to compromise.
Phrases – Subjects 18.34 million users per month to compromise.
Windows Live Messenger – Subjects 18.1 million users per month to compromise.
Mafia Wars Game Subjects 17.3 million users per month to compromise.
FrontierVille – Subjects 17.02 million users per month to compromise.
Are YOU Interested – Subjects 15.26 million users per month to compromise.
Pet Society – Subjects 9.99 million users per month to compromise
Treasure Isle: The Adventure Game – Subjects 9.99 million users per month to compromise
It isn’t like an app can’t be created that enables a secure experience, the app “Causes” has 18 million users a month who DO NOT have to compromise their accounts to use the app. Kudos to Causes for their cause and their respect for Facebook users.
Director of Technical Education
Cyber Threat Analysis Center
ESET North America
Author ESET Research, We Live Security