I thought so...
After checking around, this seems accurate.
Facebook's hip new application platform contains a gaping hole that allows attackers to run malicious javascript on unsuspecting users' machines, a developer has demonstrated. Proof of concept code examined by El Reg shows how the platform can be used to steal Facebook user's session identification cookies, deliver pop-up …
This is why you don't use the addons on places like that unless you can 'trust' them. Do you really need those 8 versions of "How hot am I" "Rate your freinds" "Add this application or a puppy dies"?
I'd say treat the applications you put on there as you'd treat giving out contact details, but we all know how well that usually goes.
One nice little hole that I've wondered about is the fact that the applications gain access to your information when you add them, a nice box saying:
"Know who I am and access my information"
Unticking this gives you:
"Granting access to information is required to add applications. If you are not willing to grant access to your information, do not add this application."
Why is the option there then?
http://developers.facebook.com/user_terms.php - Platform Application Terms of Use . I love section 2b. A Data Miner's wet Dream?
Right and besides Hyde Park is a lovely park, one of my favorite places in April but unfortunately not able to visit it often, FaceBook - no flowers, no spring rain, definitely no entertaining and funny people, no pub's near, .. Yes, if I have something to say, I will go to Hyde Park. Try it, you will love it! Next time I'm in London, hopefully in April, see you there and not in Internet. Besides, it's totally safe except of course from some, very good British humor, the comments are way better than what you see in Internet!
"Its written in PHP and MySQL, hardly known for secure applications or scalability"
I disagree... PHP and MySQL can be perfectly secure and scalable; it just depends on the talents of the programmer. I've seen loads of times when someone has used a module or application from a third party without properly checking it and thus exposing gaping security holes...
I'm not saying that what I write is perfect, but a company I used to work for thought that putting the admin pages in /admin/ without any password checking was OK ("it's not linked-to so no-one will know it's there")... they worked in ASP.
What you're saying is akin to "this book is rubbish because it was written on a mac"... it may be true that it was written on a mac, but it's the (lack of) talent of the author that you should be criticising!
"security by assertion" is a long standing tradition of clueless coders, who write 95% of software out there. I was tempted to cite an example from Microsoft's own MFC library (probably the most popular library ever used by Windows programmers), but resisted. There are just too many assertions that make no sense.
... I'm glad that I don't allow FB apps on my profile. It looks boring as f, but at least security issues are not a problem. Really. Honest.
And of course my email to FB pointing to this article and telling them to get their finger out of their backsides and do something about it instead of disclaiming it.
:-)
Well, if this vulnerability allows allows for profiles to be deleted, I am all for it. I had a FB account for a few weeks, thought it was utterly useless, and tried to close it down. I found out that you could only make it "dormant", as opposed to be able to dlelete the whole thing. So I hope someone will inject the malicious code into my "dormant" profile.
As for PHP & MySQL, if it's good enough for EL REG to run WordPress, then it's good enough for me :-)