Social networks Facebook and MySpace were dealing with new security issues on Friday that could compromise personal information and communications from friends.
Facebook said it had removed a new rogue application that was spamming users and exposing their information. Before it was halted, the application sent messages claiming that a friend had reported the recipient for violating Facebook's terms of service and offered a link to click to find out more information.
Users who clicked on the link were providing the app access to their profile and personal information as well as unknowingly forwarding the message on to everyone in their Facebook contact list, according to Graham Cluley's blog for Sophos.
"Our team disabled this application for violating the Facebook Developer Terms of Service," Facebook spokesman Simon Axten said in an email. "Some additional versions of it have sprung up, and we've disabled these as well. We're actively monitoring the site for others and are working to block the application completely."
Cluley said Facebook should do more to prevent such rogue applications from spreading in the first place than just shutting them down on an isolated basis.
"One of the problems is that Facebook allows anybody to write an application, and third-party applications are not vetted before they are made available to the public. So, even as Facebook stamps out one malignant application, it can pop up in another place like a poisoned mushroom with a different name," Cluley wrote.
"It sounds like this could be a new favoured trick being used by spammers and identity thieves to build up their databases of intended targets," he wrote. "My advice to Facebook users is to think very carefully before adding any new applications."
The problem prompted a Facebook user to create a Facebook group for victims of the scam, noted Trend Micro in its anti-malware blog.
The rogue app surfaced less than a week after the spread of a similar app, dubbed Error Check System, that falsely warned users that their friends were having problems viewing their profiles.
"Surely these two events in just a single week mean that it's about time that Facebook reviews its application-hosting policy," the Trend Micro blog said.
"What that quote suggests is akin to saying, 'there have been two robberies, we need to implement martial law in the city,'" said Facebook spokesman Axten. He noted that there are more than 660,000 developers and the "vast majority" of Facebook applications are not "nefarious".
The company makes it easy to be a Facebook developer — asking only for a valid email address to get an application key — to foster innovation, and has a dedicated Developer Operations team that investigates applications that show "anomalous activity", Axten said.
"In this case, we responded quickly to user reports and disabled the application before too many people were affected," he said.
Meanwhile, over at MySpace, a spokeswoman said the company fixed a vulnerability on Friday that enabled strangers to view MySpace users' private comments. As with the other privacy holes that have been publicised, someone would have to know the exact URL and insert the correct user ID to exploit the weakness.
