Facebook: “Who is checking my profile” application deceitful and privacy invasion

Originally published at: http://community.ca.com/blogs/securityadvisor

March 15 2010, 06:47 PM         by         Benjamin Googins

The Facebook application “who is checking my profile” is a privacy invasion, uses deceitful language and should be removed from Facebook.

2

Deceitful language I logged into Facebook to see in my Newsfeed a friend posted the results of the application (shortened to app for this blog) “who is checking my profile?” (http://apps.facebook.com/check-profile-g/).  Previously I had noticed another friend posted the results of the app “who is your top follower?”  (http://apps.facebook.com/jywcocmkds).  It is odd that two apps would be constructed with the same look, feel and functionality, but fall under different names.  Both apps appear to be the same basic program. Both are one collage image constructed of multiple “profile” images of friends – apparently in the order of “viewing” rank.  Both apps have the comment “try it, really works [sic]” with the direct link to the app posted by the same friend that posted the original app results.  The comment then triggers an email sent to each user titled, “<insert friend’s name> commented on a photo of you on Facebook…”  Both comments finish with exactly two exclamation marks.  Both comments leave off the grammatically necessary “it” before “really”.  Both “tag” all the profile images in the collage, triggering an email sent to everyone titled, “<insert friend’s name> tagged a photo of you”.  It seems safe to say these comments were auto-generated by the app’s creator. Here is a screenshot of what I saw.  I had to redact it in many spots to maintain my friend’s privacy: The titles “who is checking my profile” and “who is your top follower” imply someone is actively navigating to the person’s profile.  In both cases above, I can’t recall ever specifically navigating to either person’s profile, with the exception of when we first became “friends” and to verify the person’s identity before sharing my personal information.  If the app is actually drawing on real data, I can only conclude it is using the number of “comments” and “likes” and other similar data — not actual direct profile views – none of which actually require navigating to the user’s profile as the titles imply.  Other friends have confirmed the same scenario — they can’t recall visiting someone’s profile, but are listed in the “top follower” results.  At the very least, the two app titles are misnomers.

Privacy violation Even if the results of the apps “who is checking my profile” and “who is your top follower” were accurate to what their names imply, both are invasive and violate user privacy.  How many times a person views another’s profile is a form of metadata – data that is an interpretation of other data.  This is not data that users explicitly agree to share with others when they join Facebook.  Permission should be obtained from each individual whose metadata will be shared, prior to the app gaining access to the required data to function.  If and when Facebook granted the developer access to this metadata, they removed individual control of the data.  The developer turned around and shared the metadata with friends, without their control.  Individuals desire control of their data – meaning they want to control who in their life gets to know what information.  For example, a doctor gets to know things a professor does not.  The same holds true for Facebook friends and relationships.  This flow of metadata from Facebook, to app developer, back to other friends will impede users from freely navigating amongst their circle of “friends” if they think each click will be recorded and shared back to those same friends.

Resolution Facebook should shut down both applications.  Further, in the future, users should be able to control what sensitive metadata application developers have access to.  Not all metadata is necessarily personal enough to be sensitive to an individual.  Alternatively, application developers should be required to obtain permission from each person whose metadata is being shared.  In the case above, the person using the application had to grant access to the application, but the application did not obtain permission from all the friends impacted.  This needs to change.

By: Benjamin Googins

avatar

Benjamin Googins is a senior engineer working on CA’s Anti-Spyware product. His primary functions include analyzing spyware and privacy breaches, fielding press inquiries, blogging and drafting documents. He has been a significant contributor to the User Permission document , Spyware Scorecard , Threat… Read More..

Comments from original posting:

Your absulotrey right…….I am not an expert in computer or technology but happen to recieved those message as well from 2 of my contacts at facebooks. For me looking at somebody else profile is absulotely wrong It is indeed a invasion of privacy….Thank you for your post and comments I hope the Facebook will do something about this….. MORE POWER to you Posted by: trinidad French, March 16, 2010 3:33 AM

Extremely well thought out, from one Infosec. professional to another! Good work! I’ve noticed more and more breaches similar to that which you now disclose. There are other facebook flaws and more recently the gmail breach. Not to mention the MS server “;/:” exploit affecting any forum facilitating server side scripting (any user). It was bound to happen to facebook as the 3rd party apps are just too proliferant and served en-mass to facebook users (this has been taken from my recent publication in Australia and abroad). Could see the facebook issue coming miles away, given most of the utils/app’s people install are dubious at best! L.M.C – Information Warfare Linguist +61-411868842 -postingme@gmail.com Posted by: Leigh Chancellor, March 17, 2010 8:13 AM

Benjamin, thanks for posting this. Can the receipt of one of these app postings cause a virus on one’s computer? Posted by: Patrice, March 17, 2010 4:15 PM

How can I get rid of the photo montages it leaves under my photos tab? Posted by: Karl, March 29, 2010 2:35 PM

Karl, I think it is itemized under your ‘photos’ section.  So, you should be able to go: log into Facebook, click ‘Profile’, click the ‘photos’ tab, click the montage of choice, on the lower right side you should see ‘delete this photo’.  Comment back if that works and I will add it to the blog. Posted by: Benjamin Googins, March 29, 2010 4:27 PM

I am glad that someone has finally posted something about these invasive applications on facebook. I am also curious if these apps. can be manipulated to launch malware attacks on the persons whom they have hijacked in these applications???? Posted by: john, March 30, 2010 8:51 AM

I received this as well and now I have a montage stuck in my photos and i can’t get rid of it. I’ve tried everything. When you click on the montage it takes you to a loop screen that says it’s unavailable and has links back to your photos and your profile, but nothing that will allow you to delete that particular photo. I contacted facebook and they didn’t have an answer. i want that stupid montage off of my photo collection – plus, I don’t know ONE person in the blurry thing. I know who sent it to  me and it was the exact auto generated thing you wrote above. Posted by: Samantha, April 2, 2010 4:03 AM

Pingback from  SPIM Attack: ???Youtube???s slow, watch my video here??? – CA Security Advisor Research Blog Posted by: SPIM Attack: ???Youtube???s slow, watch my video here??? – CA Security Advisor Research Blog, April 13, 2010 6:28 AM

Cybercrime includes many things among which we enumerate the so-called “mule recruiting” issue. “Mule”. Posted by: CA Security Advisor Research Blog, April 13, 2010 7:48 AM

Does anyone have an answer to Samantha’s post yet?: “I received this as well and now I have a montage stuck in my photos and i can’t get rid of it. I’ve tried everything. When you click on the montage it takes you to a loop screen that says it’s unavailable and has links back to your photos and your profile, but nothing that will allow you to delete that particular photo. I contacted facebook and they didn’t have an answer. i want that stupid montage off of my photo collection – plus, I don’t know ONE person in the blurry thing. I know who sent it to  me and it was the exact auto generated thing you wrote above. Posted by: Samantha, April 2, 2010 4:03 AM Posted by: Rachel, April 13, 2010 10:03 PM

WHO’S VIEWED MY PROFILE? Posted by: misaye, April 29, 2010 8:24 PM

Just a few weeks ago a Facebook scam titled “ the sexiest video ” has spread. Today another scam lurking. Posted by: CA Security Advisor Research Blog, June 7, 2010 3:44 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s