Facebook users open to cyberattacks, ID theft?

As Facebook evolves from a university social network into an enterprise tool, VeriSign iDefense security experts are warning that the platform is turning into a prime attack vector for cybercriminals.

Ryan Olson, a United States-based analyst for VeriSign's iDefense operations against the proliferation of malicious code, said that while thousands of applications being developed by third parties for Facebook users are enriching the social network's functionality, the Facebook Platform provides a perfect channel for distributing malicious software.

"The potential is there, and the framework is there," Olson said.

"Rather than putting it in our terms of service that you promise not to breach our security and putting the onus on us, we are just going to open it up slowly over time," Facebook founder Mark Zuckerberg said in June.

"You use such developer applications at your own risk," Facebook states on its privacy statement.

While Facebook third-party developers do not necessarily have access to Facebook members' personal details, whether users agree to install an application is ultimately a caveat emptor scenario.

Adding pressure to the rush to develop new applications for Facebook, PayPal is running a competition that closes on August 24, offering developers cash prizes of up to $10,000 for winning applications.

Developers require users to agree to their own terms of service and privacy policies as a condition of using their applications. Given the tendency by users to gloss over lengthy condition statements, this opens the possibility for developers to extend rights beyond the standard agreements.

However, Olson and Rick Howard, director of intelligence at VeriSign's iDefense Labs, said a longer-term problem is users' openness with personal information on public forums.

"They seem to have no sense of privacy," Howard said. "We think it could go two ways. In the future, they're either going to decide they're embarrassed by all the information they've put out there, or they may decide it's just the way it is and (that) it's OK to put information out there."

In a "thought experiment" the two conducted in the United States before visiting Australia, Howard said they managed to acquire enough information on one young user to steal her identity.

"We pulled down one person's name--in this instance, a female--and everything she put out there," Howard said.

"In 15 minutes of doing Google searches, we were able to collect enough information to steal her identity."

So what can users do to protect themselves in this candid new world?

"Best practice, really: don't let information out like that," Howard said, adding that the "intoxicatingly interesting" nature of social networking is inherently at odds with best practices.

Liam Tung of ZDNet Australia reported from Sydney.