Tens of Thousands of Malicious Apps Use Facebook's APIs

Slashdot reader lod123 quotes ThreatPost: At least 25,936 malicious apps are currently using one of Facebook's APIs, such as a login API or messaging API. These allow apps to access a range of information from Facebook profiles, like name, location and email address. Trustlook discovered the malicious apps using a formula, which created a risk score for apps based on more than 80 pieces of information for each app, including permissions, libraries, risky API calls and network activity... A malicious app (with a risk score above 7) "might be doing things such as capturing pictures and audio when the app is closed, or making an unusually large amount of network calls," a spokesperson told Threatpost...

To be fair, Facebook is not the only company with its APIs embedded in malicious applications... "The problem, for the most part, is that this is data that is provided when their login is used elsewhere. The API is simply passing through intelligence it has gathered from their profile," said Chris Roberts, chief security architect at Acalvio, via email. "LinkedIn, Google and Twitter, among others, have similarly flawed APIs that can be used to harvest information both about you (the target) and possibly associated individuals...depending upon queries and other developer privileges that are being exploited."
A Trustlook spokesperson summarized their position after the report. "Just as Coke does not want its ads running on certain websites, Facebook should not want malicious app developers using its APIs."

All Facebooks Apps are Malicious.

[gurps_npc]

They have access to Facebook, that makes them malicious.

Until we create and enforce a law preventing anyone from maintaining a record on people who have not given them express permission to maintain that record, Facebook and their ilk are malicious.

My data should have my permission before it is kept, not after.

Re:

[alvinrod]

Most people would happily tick that box without even bothering to read the fine print. It doesn't matter what law you pass if you can't get people to understand the importance of keeping their data private and secure. Hopefully things will improve in future generations, but I suspect that history will look on us as digital barbarians of sorts.

Re:

[JMJimmy]

We need a central database of information types/uses (but no actual personal information) which anyone who collects personal information can query to get a user's preferences. Set once and forget.

Apps/websites/etc must then adhere to those preferences, even if it interferes with the operation of their service. These defaults could then be overriden on an individual basis as an opt-in approach.

Your best solutions, please?

[shanen]

Yes, it's important to look at the problems, but if there is no solution, is there really a problem? There seems to be a lot of confusion these days about reality, ugly reality, and bothersome realities that certain people refuse to believe in. (Even worse when gaslighting Level-3 liars exploit the will to believe...)

So is there any solution to this malicious app problem? I think the best solution approach would involve exposing the financial models of the apps, with secure commentary provided by financial

Re:

[shanen]

There's some secret reply, eh? Sorry, AC, I'm NOT interested in wasting time investigating. Your claim of AC status is equivalent to a claim of ZERO EPR and my hypothetical visibility setting for EPR would be higher than the positive default.

It could be worse. The "hidden comment" could be an accredited comment that has already been modded into invisibility. In that case the local reputation would be overwhelmingly negative (except for the even more remote possibility of troll attack).

Rather sad if the secr