Privacy and Security

26,000 Malicious Apps Use Facebook APIs

Those APIs give developers easy access to user data.

• By Dian Schaffhauser
• 05/02/18

The mop-up work for Facebook in the wake of its privacy reform could take much longer than we might expect. According to security company Trustlook, there are nearly 26,000 malicious apps currently using at least one Facebook application programming interface, any of which could give those developers access to information from Facebook profiles, including names, locations and email addresses.

The company noted that similar dangers exist in APIs provided for other social sites, including Twitter, LinkedIn, Google and Yahoo.

In response to the privacy problem, Facebook CEO Mark Zuckerberg said his company would audit thousands of apps and give users easier tools for managing how their data is used.

Trustlook sells security products and services using artificial intelligence to protect against sophisticated malware and other kinds of attacks.

According to a recent blog article on Trustlook's website, the problems that led to the Cambridge Analytica data-harvesting outrage resulted when developers abused certain Facebook APIs, specifically those associated with its login feature. When Facebook users tap the site's login to connect with other services, they grant those apps' developers access to information on their profiles. Beginning in 2015, the year before the Cambridge Analytica debacle, Facebook also allowed developers to access a bit of data from friends of users who used Facebook Login as well — whether or not they had agreed to hand over their data.

The security company has identified 25,936 "malicious apps" in use by Facebook users. That count was handled through its product, SECUREai App Insights, whose three flavors — mobile, core and IoT — are used by companies that want to embed security into their own products. The technology provides information on apps, including risky API calls and a risk score. According to the firm, three of the top five app stores use the program to assess the risk of the apps allowed into their stores.

"Whether Facebook can accomplish their goals remains to be seen, but it's clear the company needs better visibility into how user information is being handled by third-party apps," the company suggested. "And most likely it needs a sophisticated piece of software to help."