"Want a free iPad?" That's an email that my Facebook friends received from me this morning. The problem is, I never sent it. In fact, I never saw it until it had been sent on my behalf. Being careful isn't enough. I wrote here on this very blog last year about the various trojans and other attacks made on and through Facebook.
Today, I was used.
This morning as I was starting work, my daughter sent a text message asking me about a free iPad. I didn't know what she was talking about. Then, after a bit of investigation, I learned that some rogue application that I had approved for access to my Facebook account, had sent an event invitation to everyone on my Friends list.
This is a big deal.
It's a big deal because I cannot even easily send a message to everyone on my friends list. Therefore, my apology email took a while to create, since I had to manually create a list with all of my friends on it.
It's also a big deal because there was no way for me to find out from the invitations which application sent it. Was one of the seemly appropriate applications like Twitter or Foursquare the issue? Or how about that Fast Company Influence Project app that I set up yesterday? I can't tell. The invitation does tell anyone how it was created, and I have no way of working backwards from the invitation to the app and removing its permissions.
This is a Facebook security problem, and Facebook needs to address it. As a result of this issue, I have removed a number of apps from my Facebook page and will remove all of them if it happens again.
In the meantime, I'm committed to doing what I can to track down this rogue app. If you have any insight into how this was done or what app might have done it, I'd love to get your insights. I'll update this post as I discover more.