Facebook's Security Mess

Last week I was sitting in my office working away on a client's iPhone app when my iPhone's text message bell alert rang. I picked up my phone to see my daughter's text message: "Free iPad event?" After an exchange, I learned that my Facebook account had sent her an event request with a link to a rogue quiz site that was offering quizzes for the amazingly low price of $19.99 a month. I also started getting emails from other friends who were getting the invitation from me. So, I got mad.

First, I deleted the event. Then, I posted to my wall about it. And then, I went on the warpath.

You see, I am very careful about my Facebook account. While I explore aspects of Facebook as part of my research for clients, I am aware of the dangers and am diligent in working through the possible issues. But, I got caught. So, I went looking for the source of the issue.

The first thing I learned is that I am not alone. There is even a Facebook group that has grown up to oppose it. But, no one seemed to know how it was done, so I began to investigate.

Given the invitation text and the targets, I figured out that it had to have come from an application with access to my account. I dug through my entire list of applications, eliminating many that were either old or that I don't use. But, it's important to understand that Facebook makes this process far more painful than it needs to be. If only Facebook would make a note on the wall posts, event invites, and other items noting what application was used to create it, we could track down the reprobates who build these cheap cheats. Twitter even does it:

So Twitter, with its informal nature, trumps Facebook in one of the most important aspects of security: transparency.

In my next few posts, I'll outline what you can do to scrub your Facebook account in a way that will make it much more hardened against this kind of attack. However, with the limited transparency of Facebook's system right now, there is only so much you can do.