Facebook dev move won't stop rogue apps, say researchers

Site must use Apple-style approval process to stymie attacks, say security experts

Security researchers today said Facebook's new requirement that developers link legitimate accounts to their software won't stop rogue applications from infecting its users with adware.

On Wednesday, Facebook announced that it will now demand that developers verify a Facebook account to create new apps on the service.

"We're taking this step to preserve the integrity of Facebook Platform, ensuring that every application is associated with a valid and real Facebook account," Niket Biswas, an engineer and technical project manager on the platform engineering team, said in an entry on the Facebook developer blog .

Developers can establish they have a legitimate Facebook account by confirming their mobile phone number or adding a credit card to the account. Facebook requires the same confirmation for users who want to upload large video files.

Although Biswas didn't mention rogue Facebook apps, the move was clearly aimed at trying to stop cybercriminals from building bogus software that dupes users into downloading other programs, including pop-up spewing adware.

"That's not going to hurt [the criminals] one little bit," said Roger Thompson, the chief technology officer for antivirus company AVG Technologies, in an instant message. Thompson has tracked several of the attacks against Facebook users launched by hackers on three consecutive weekends .

"Facebook is entirely too open at the moment," Thompson added. "Anyone can be a developer, with no cost to them at all."

Rik Ferguson, a senior security advisor at Trend Micro, agreed.

"What guarantees are there that any Facebook account is 'valid and real' in the first place?" he asked in a post today on Trend's CounterMeasures blog. "Secondly, proving access to a credit card or mobile phone is a whole different thing to proving ownership. If criminals or scammers, who we must assume have ready access to disposable mobile numbers and/or stolen credit cards, attach some of these bogus credentials to an already bogus account, where does that leave us?"

Ferguson answered his own question a moment later. "It leaves us with a fake 'confirmed' profile which is once again free to post any application content they choose, and it leaves Facebook incident handlers continuing to play Whac-A-Mole with the scammers," he said.

Both Ferguson and Thompson said that the only viable move Facebook could take would be to mimic Apple's App Store. Software for the iPhone and iPad must go through a review and approval process before Apple deigns to stick a program on its e-mart.

"If Facebook really wants to turn around the security situation when it comes to malicious or rogue content, then the only effective option is an application approval process, such as the ones already in place over on MySpace or on the Apple App Store," said Ferguson.

Thompson had the same idea, though he didn't think it was feasible for Facebook . "I don't think they can do much more without going to the App Store model, which is contrary to their business [model]," he said.

But Ferguson countered. "The effort that Facebook incident handlers currently put in to tracking down and suspending the ever-increasing volume of rogue apps would surely be better channeled into stopping them from appearing in the first place," he said.

For three weekends in a row, Facebook users have faced rogue app-based attacks that plant adware on their PCs. This week, users have dealt with a string of so-called "like-jacking" attacks that spread links to malicious sites using Facebook's "Like" feature.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld . Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@ix.netcom.com .

Read more about security in Computerworld's Security Topic Center.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags FacebookAppleadwareapp

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Gregg Keizer

Gregg Keizer

Computerworld (US)
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?