Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Facebook apps verification wont stop malware

Security experts mock weak rogue apps controls

Article comments

Security researchers today said Facebook's new requirement that developers link legitimate accounts to their software won't stop rogue applications from infecting its users with adware. Facebook announced that it will now demand that developers verify a Facebook account to create new apps on the service.

"We're taking this step to preserve the integrity of Facebook Platform, ensuring that every application is associated with a valid and real Facebook account," Niket Biswas, an engineer and technical project manager on the platform engineering team, said in an entry on the Facebook developer blog. Developers can establish they have a legitimate Facebook account by confirming their mobile phone number or adding a credit card to the account. Facebook requires the same confirmation for users who want to upload large video files.

Although Biswas didn't mention rogue Facebook apps, the move was clearly aimed at trying to stop cybercriminals from building bogus software that dupes users into downloading other programs, including pop-up spewing adware.

"That's not going to hurt [the criminals] one little bit," said Roger Thompson, the chief technology officer for antivirus company AVG Technologies, in an instant message. Thompson has tracked several of the attacks against Facebook users launched by hackers on three consecutive weekends. "Facebook is entirely too open at the moment," Thompson added. "Anyone can be a developer, with no cost to them at all."

Rik Ferguson, a senior security advisor at Trend Micro, agreed. "What guarantees are there that any Facebook account is 'valid and real' in the first place?" he asked in a post today on Trend's CounterMeasures blog. "Secondly, proving access to a credit card or mobile phone is a whole different thing to proving ownership. If criminals or scammers, who we must assume have ready access to disposable mobile numbers and/or stolen credit cards, attach some of these bogus credentials to an already bogus account, where does that leave us?"

Ferguson answered his own question a moment later. "It leaves us with a fake 'confirmed' profile which is once again free to post any application content they choose, and it leaves Facebook incident handlers continuing to play Whac-A-Mole with the scammers," he said.

Both Ferguson and Thompson said that the only viable move Facebook could take would be to mimic Apple's App Store. Software for the iPhone and iPad must go through a review and approval process before Apple deigns to stick a program on its e-mart.

"If Facebook really wants to turn around the security situation when it comes to malicious or rogue content, then the only effective option is an application approval process, such as the ones already in place over on MySpace or on the Apple App Store," said Ferguson.

Thompson had the same idea, though he didn't think it was feasible for Facebook. "I don't think they can do much more without going to the App Store model, which is contrary to their business [model]," he said.

But Ferguson countered. "The effort that Facebook incident handlers currently put in to tracking down and suspending the ever-increasing volume of rogue apps would surely be better channeled into stopping them from appearing in the first place," he said.

For three weekends in a row, Facebook users have faced rogue app-based attacks that plant adware on their PCs. This week, users have dealt with a string of so-called "likejacking" attacks that spread links to malicious sites using Facebook's "Like" feature.



Share:

More from Techworld

More relevant IT news

Comments



Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *