The privacy app maker MyPermissions has uncovered a major bug in Facebook’s mobile app that prevents users from revoking permissions from Facebook apps.
“Think about it like this: you download an app that promises to do one thing, but actually comes from a hacker who wants to seriously invade your privacy by mining your data,” Genevieve Cenower wrote on a company blog post. “Given the right coding, this developer could trigger the same effect, basically making it impossible for a user to disconnect this malware app and revoke its permission to access your personal information.”
The bug goes deeper than simply being unable to revoke access. It’s possible for a rogue app to deny a user access to the social networking site completely.
“We have a former hacker that works for us,” MyPermissions CEO Olivier Amar told Yahoo News. “He told us that this is something he absolutely would have used and that the code could be replicated in less than hour.”
What they were able to do was shocking.
“We shut down the biggest Facebook applications permissions pages on mobile,” he said. “We were literally doing it 50-100 applications at a time. Within the space of 30 seconds, we could shut down 100 applications at a time,” he said.
When MyPermissions uncovered the problem, they immediately reported it to Facebook.
“They did a fantastic job of getting in touch with us very quickly. Facebook takes this very seriously, and I’m very impressed by them,” Amar said.
Facebook’s cooperation might seem a bit odd, since MyPermissions is intended to help users protect their information from services like Facebook.
In any case, users should be very careful to only allow apps they really trust access to their Facebook accounts. With even apps listed on Google Chrome’s store selling ads without telling their users, it might even pay to be suspicious of even “official” apps for the time being.
Edited by Cassandra Tucker