Security firm warns on use of Facebook third-party plugins

Facebook’s privacy controls have once again come under attack, with security software firm AVG saying the company’s new third-party plugins are a security concern and users should be extremely careful about where they login to the site.

It comes as Facebook prepares to hold a crisis meeting about the controversy surrounding its privacy controls. Various industry groups have criticised the site for not providing enough information to users about how they can change their privacy settings.

Roger Thompson, chief research officer for AVG, said in a blog post he visited CNN only to find the site had collected information from his profile despite not being logged into Facebook at all.

“On April 29, 2010, I surfed to CNN.com to check out the news… something I do quite often… I happily read about the oil spill and the asteroids, and then noticed the bit I have circled in red. It’s a bit hard to read, but it says “Log in/sign up”, and then “Friends’ activity”, followed by “View more friends’ activity”!”

“Not ‘view friends’ activity’, but ‘more’ friends’ activity. I’m not logged in, but CNN knows who my friends are on Facebook.”

Thompson is referring to new features introduced within the past few weeks. These “social plugins” allow third-party sites to introduce types of Facebook features onto their own home pages, such as the “like” button and “news feeds”.

This means users will be able to press the “like” button next to a news item, for example, and that information will be added to their profile on the Facebook.com site. Additionally, news feeds of friends’ activities can be broadcast, so users can be updated without actually visiting Facebook itself.

However, critics, such as Thompson, say this is a serious privacy concern and users should be wary about how their information could spread to third-party sites, even if they aren’t logged in at all.

“Folks… you need to LOG OUT of Facebook once you finish reading posts. You just don’t know what information could be leaking… Privacy, folks, it’s an issue.”

AVG says over 100,000 third-party websites are now using the Facebook plugins.

Meanwhile, Facebook is holding a meeting today to discuss privacy concerns in a sign the company is paying serious attention to how the public perceives its security features.

As reported by Reuters, chief executive Mark Zuckerberg and several other executives will today meet with employees about the company’s privacy controls, and could discuss new ways for privacy features to be updated.

In a statement to Reuters, the company said it has “an open culture and it should come as no surprise that we’re providing a forum for employees to ask questions on a topic that has received a lot of outside interest.”

The company has suffered massive criticism for its handling of privacy issues. New controls for users are introduced relatively quickly, and despite several warnings many users have found their information available for public viewing.

When the site made some major privacy changes recently, some of the “default” positions allowed information to be viewed by others. Some users were unaware of this, and complained their details were viewed by people they would have otherwise blocked from their profiles.

Additionally, the company is facing a complaint from a coalition of 14 lobby groups through the US Federal Trade Commission, with all of them accusing the company of allowing information to be distributed to third-parties without user consent.

COMMENTS