SMUG Facebook Challenge
You’d almost be right.
A friend sent me a link to the challenge the day Lee posted it, and by the next day I had a plan of attack. I sent Lee an innocuous Facebook message asking him to take a look at a simple application I’d built. I didn’t lie – I had thrown the app together a few months before, and it hardly does anything. But I did fail to mention one detail – I inserted some new code before contacting Lee.
The code would grab any available information on his secret group as soon as he access the application. I’m fairly certain my method did not violate the Facebook TOS, and since Lee issued the challenge, I took that as permission to access his group’s data. I wasn’t sure if he would accept my technique as meeting the challenge, since it did require action on his part, but figured I’d give it a shot.
As I said, though, it required action on his part, and to my disappointment he didn’t actually install the application prior to shutting down the challenge. At that point I went ahead and contacted him to let him know what I was up to, and he graciously installed my application to confirm that the trick worked. In a way, my “hack” was akin to phishing – I was luring Lee to visit a page that seemed harmless, but actually took advantage of his visit.
I didn’t really accomplish that much, but the initial challenge was simply to read the group’s “Recent News” section, and I did pull that off. Accomplishing the rest of the challenge would have been far more difficult, and I don’t think my little scheme invalidated Lee’s original point about doing business on Facebook. Lee has posted our conversation of Facebook messages regarding the hacker challenge, so check it out if you want more of the story.
So what’s the point of all this? One I’ve been trying to make for some time: Social applications are powerful. An application on Facebook has access to a wide range of data on Facebook users, especially if the application finds a wide audience. But since applications are third-party code, they essentially run on the honor system. While the Facebook TOS bars applications from storing most user data, there is not a practical way for Facebook to enforce or even completely audit this requirement.
Does this mean we should no longer use applications on social networking platforms? Certainly not. But while I’m not aware of any rogue social applications thus far, I would not be surprised to see them before too long. I expect the people behind things like phishing scams to move towards using social networking sites. Once again, the social graph is both the strength and weakness of a social networking site – it enables many great features, but also presents a wealth of data that scammers and hackers will target.
Consequently, social networking sites need to be vigilant in protecting and informing their users. Developers need to be careful to find and plug holes in their applications that people could exploit. (If they read this blog, they may get some free help in the finding part. :) And users need to maintain a healthy skepticism of giving any site or application access to personal information.
Anyway, thanks to Lee for the challenge and the write-up, as well as giving me a good opportunity to highlight another point regarding privacy and security.