Facebook Fixes Flaw – Farmville Compromises Facebook

After the release of FireSheep, Facebook took an important step to help protect Facebook user accounts by allowing users to choose to keep an encrypted connection as long as they used just Facebook and intelligently designed apps.

Savvy users immediately discovered that if they tried to use grossly insecure apps such as Farmville, 21 Questions, or a variety of apps by Rockyou then you were switched back to an unencrypted connection.

Having an unencrypted connection means that if you are on an unsecured network, such as those frequently found in coffee shops, airports, and many other public places, then another person can mess around with your account and do things like post messages as if they were you. In fact, they are actually logged into your account for the session, but they don’t have your password, so there are some security features they can’t change. Still it is enough access that they can cause a lot of damage.

Facebook has addressed the problem by making it so that if you choose to use an unencrypted connection, and then use an insecure app then the next time you log out and back on your preference will have been remembered and your connection will be encrypted again. This is a great step.

Kudos to Facebook, and shame on the careless developers who have not fixed their apps to afford you a safe Facebook session. If you want to use an encrypted Facebook session, follow the instructions at Change Your Facebook Account Settings for Better Privacy and Security.

If you go to use an app and are prompted to switch to HTTP, then refuse to. If it means you can’t use the app then email the developer and tell them that you won’t use their app until they respect your privacy and security.

The Facebook App Hall of Shame includes:

Cityville – 89 million users per month potentially subjected to account compromise.
Texas HoldEM Poker – Subjects 36.9 million users per month to compromise.
Bandpage – Subjects 21.56 million users per month to compromise.
Phrases – Subjects 18.34 million users per month to compromise.
Windows Live Messenger – Subjects 18.1 million users per month to compromise.
Mafia Wars Game Subjects 17.3 million users per month to compromise.
FrontierVille – Subjects 17.02 million users per month to compromise.
Are YOU Interested – Subjects 15.26 million users per month to compromise.
Pet Society – Subjects 9.99 million users per month to compromise
Treasure Isle: The Adventure Game – Subjects 9.99 million users per month to compromise

It isn’t like an app can’t be created that enables a secure experience, the app “Causes” has 18 million users a month who DO NOT have to compromise their accounts to use the app. Kudos to Causes for their cause and their respect for Facebook users.

Randy Abrams
Director of Technical Education
Cyber Threat Analysis Center
ESET North America

Author ESET Research, ESET

  • Alex

    I remember back a few years before Facebook made all the games switch to using an iframe, all you had to do for a session hijack was copy the URL from the naviagtion bar and paste it to another browser…intant session hijack.  The iframes masked the URLS somewhat, so the security was somewhat better.  Effective October 1st, its all going https, so the games on your Hall of Shame should all be working toward meeting that date.

  • Kristen B.

    I hope that the people behind these facebook application could be able to change their features for the safety of those who are using it. I am quite worried that Pet Society is included in the Facebook App Hall of Shame since I am such a fan. I wonder if the Restaurant city and other facebook applications are also affected with this compromised applications. It is a good thing I haven't filled up the necessary information on my facebook profile. Thanks for the insights.
    /Kristen B.
    Magnavox MDR515H Reviewer

Follow Us

Automatically receive new posts via email:

Delivered by FeedBurner

2 articles related to:
Hot Topic
30 Mar 2011
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.