A company called Trustlook decided to apply some risk scores to a bunch of apps. In the process of doing this, it found that nearly 26,000 malicious ones are currently using Facebook to gather information about users and possibly the friends of those users. Without getting too technical, these apps are believed to use information from the login Application Programming Interface (API) to collect information such as profile names, locations, and email addresses.
In basic terms, when you use your credentials for a site such as Facebook, Google, Twitter, etc. to login to another application, some information from your profile is likely getting passed on to the third party. You agree to that when you agree to the terms and conditions of the app. However, your friends and connections may not agree to those terms, yet their information is being accessed.
There is some controversy surrounding that, but Trustlook’s point is that a whole lot of apps are using the information that gets passed to them via Facebook in a way that users may not have authorized. Think Cambridge Analytica and all the friends of friends who had information passed from Facebook because users took a quiz put up by a third party.
In a post from Trustlook, it was explained as “When people use Facebook Login, they grant the app’s developer a range of information from their Facebook profile.” They reference a case from 2015, “That means that while a single user may have agreed to hand over their data, developers could also access some data about their friends.”
This is why it’s advised to use unique logins for every site visited on the web. Yes, it’s much easier to just use your Amazon login to also log into your Woot! account, for example, but don’t. Take the time to set up a new profile with a unique password.
And because you’re letting out a big sigh right now trying to figure out how you’re going to remember different passwords for every account, try a trick passed on by Jim Stickley of Stickley on Security:
First, create a base password of at least six characters. In it, include upper and lower case letters, at least one number, and at least one special character (hint: most sites allow a period, @, and ! as your special characters).
Next, take two consistent characters of the website and incorporate them into your base password in the same position every time. For example, the first two or last two letters can be added to bookend your base password. Your base password may be 7*dLeiK# and you’re visiting Amazon’s website. Your new password would become A7*dLeiK#n. Using a strategy like this makes it highly unlikely that you will ever repeat a password.
And just to be clear, these tens of thousands of apps are not necessarily using the information for evil. However, they were given a high risk score from Trustlook. But it does mean they may be doing things such as capturing photos or making an excessive number of network calls. In any case, if you don’t want any of your friends’ information passed on to third parties, avoid using apps that you find on other websites such as Facebook.
Also, keep in mind that if you do use your social media account or others to log into websites, should one of those be breached, your account for the other site is at risk too.
Stickley on Security
August 7, 2018