Facebook halts rogue app, MySpace plugs hole

Just in time for the weekend, social networks Facebook and MySpace were dealing with several new security issues on Friday that could expose personal information and communications from friends.

This screenshot shows the notification that popped up with the latest rogue Facebook application.

(Credit: Trend Micro)

Facebook said it had removed a new rogue application that was spamming users and exposing their information. Before it was halted, the application sent messages claiming that a friend had reported the recipient for violating Facebook's terms of service and offered a link to click to find out more information.

Users who clicked on the link were providing the app access to their profile and personal information as well as unknowingly forwarding the message on to everyone in their Facebook contact list, according to Graham Cluley's blog for Sophos.

"Our team disabled this application for violating the Facebook Developer Terms of Service," Facebook spokesman Simon Axten said in an e-mail. "Some additional versions of it have sprung up, and we've disabled these as well. We're actively monitoring the site for others and are working to block the application completely."

Cluley said Facebook should do more to prevent such rogue applications from spreading in the first place than just shutting them down on an isolated basis.

"One of the problems is that Facebook allows anybody to write an application, and third-party applications are not vetted before they are made available to the public. So, even as Facebook stamps out one malignant application, it can pop up in another place like a poisoned mushroom with a different name," Cluley wrote.

"It sounds like this could be a new favoured trick being used by spammers and identity thieves to build up their databases of intended targets," he wrote. "My advice to Facebook users is to think very carefully before adding any new applications."

The problem prompted a Facebook user to create a Facebook group for victims of the scam, noted Trend Micro in its anti-malware blog.

The rogue app surfaced less than a week after the spread of a similar app dubbed "Error Check System" that falsely warned users that their friends were having problems viewing their profiles.

"Surely these two events in just a single week mean that it's about time that Facebook reviews its application hosting policy," the Trend Micro blog said.

What that quote suggests is akin to saying, 'there have been two robberies, we need to implement martial law in the city,'" said Facebook spokesman Axten. He noted that there are more than 660,000 developers and the "vast majority" of Facebook applications are not "nefarious."

The company makes it easy to be a Facebook developer--asking only for a valid e-mail address to get an application key--to foster innovation, and has a dedicated Developer Operations team that investigates applications that show "anomalous activity," Axten said.

"In this case, we responded quickly to user reports and disabled the application before too many people were affected," he said.

Meanwhile, over at MySpace, a spokeswoman said the company fixed a vulnerability on Friday that enabled strangers to view MySpace users' private comments. As with the other privacy holes that have been reported on, someone would have to know the exact URL and insert the correct user ID to exploit the weakness.

[BAMAToNE]

People who add all these applications indiscriminately deserve what they get.

[askj113]

The thing is is that these were masquerading as actual things from facebook, rather than apps. They were pretty convincing too, I had to think for a moment before turning it down.

[aakk8822]

Both facebook and myspace ... have too much going on? Why not just make it simple and focus on one thing, twitter or cestagi is a good one, instead of all these pointless, time wasteful applications. I'm not too fond of them ...

[zcollvee]

i saw one like this last week called error check system.<br />why do people want to do this?

[Dalkorian]

Because they're vein enough to think anyone cares what they're doing and stupid enough to think these kinds of things don't ever happen to them?

[judeajackson]

They must not have fixed this because I just received one of the spam messages.

[Collin1000]

http://www.facebook.com/apps/application.php?id=65467804467<br />Its back. Same app. Same notification spam. Still there.

[Cornium7000987878786]

Yes. I was on MySpace and knew about this, the sleazoids kept hammering and hammering me. I wasted what should have been five seconds for a couple hours, then got tired of self-imbolation and wrote to them. They haven't responded with the boilerplate heat yet. Guess I looked and got it here first. Case closed. I ALWAYS liked MySpace MUCH more than Facebook. Facebook justs takes everything and sticks it there, MySpace you can sort of customize. Sort.

[loose_screw]

Customizing isn't bad in and of itself. It's people's taste (or lack thereof) that makes it a horrible feature to have. I'll stick to facebook, thanks.

[zcollvee]

this app is still there.... its annoying and very very very viral. half my frends hav used it

[rtb808]

now it has morphed as a video link...have already received it from 2 FB friends since yesterday...2/28

[rtb808]

now it seems to have morphed (unless it's something new) to a video link...have already received it a few times from FB friends since yesterday, 2/28...if you click on that video link...you're infected!-(

[Dalkorian]

Yeah, but doesn't it make you feel better to actually have something to do?

[Harrison912]

I'm typically on FaceBook and MySpace for socially marketing my safety and security web site as well as raising awareness for it's products through interacting with friends there. So far no problems but now that I've said that, I'll probably get hit like crazy. <br /> <br />Because of my interest in safety and security, I don't usually trust any of those links or scary messages without first sending off a message to the "sender" to make sure they're authentic. More times than not they aren't. I wish there were better ways to catch the perpetrators but I guess it's easier said than done. Thanks, Elinor!

[Noneyabeeswax]

I don't use Facebook or MySpace. I like LiveJournal the best. We don't have these problems over there. Nuf' said!

[Noneyabeeswax]

Forgot to add, and if you use Sandboxie or Returnil, or Smart Restart, then you have less to worry about with this crapola.<br /><br />Just reboot and this crap is wiped out.

[MIchaelTCaruso]

The tools are in place to proactively scan websites, applications/Widgets or advertisements for malware. <br /><br />ClickFacts is also finding that malware is getting much more sophisticated in the past year. It can attack pages, disappear and come back, be served unsuspectingly through legitimate ad servers, attached through applications/widgets (as you refer to) or infiltrate publisher?s pages.<br /><br />Companies can be proactive and have an automated scan of all pages, ad creatives or applications for malware by installing a software solution offered by a third party provider. <br /><br />What is pointed out here is that applications, real ads and legitimate content pages are being infected daily. <br /><br />As a third party provider it?s good to see the awareness from industry leaders. We are still in the education mode of what malware is, how damaging it can be and how quickly it can infect.<br /><br />Michael Caruso<br />CEO, ClickFacts

[rtb808]

now it seems to have morphed (unless it's something new) to a video link...have already received it a few times from FB friends since yesterday, 2/28...if you click on that video link...you're infected!-(