Sixteen Facebook apps secretly share your data with third parties

Sixteen Facebook apps secretly share your data with third parties Cybersecurity

A team of academics this week described a method that can help identify when Facebook application developers surreptitiously share user data with third parties. Called “CanaryTrap”, the technique was detailed by researchers at the University of Iowa in a white paper released Monday, titled “CanaryTrap: Detecting Data Misuse by Third-Party Apps on Online Social Networks”.

In the broadest sense of the term, honeytokens represent false data, tokens or files that computer experts place on their network. When data is viewed or used, administrators can detect malicious activity. In the context of CanaryTrap’s white paper, honeytokens were unique email addresses that academics used to register Facebook accounts. After registering an account, the researchers installed a Facebook application, used it for 15 minutes, and then uninstalled the application.

The researchers then monitored Honeytoken’s mailbox for new traffic. If the inbox received new emails, then it was clear that the application was sharing user data with a third party.

Over 1,000 applications tested

In addition, the research team also stated that it was using the Facebook advertising transparency tool “Why Am I Seeing This” to check whether an advertiser was using “honeytoken” email to target users. with Facebook ads.

The university team said it had tested 1,024 Facebook apps using its CanaryToken technique and identified 16 apps that shared email addresses with third parties and that allowed users to receive emails from unknown senders.

Of the 16, only nine applications revealed that they were related to the sender of the email. This relationship was usually with an affiliate website or business partner unrelated to the app, but even if the apps revealed data sharing agreements, the inboxes generally received emails unrelated to the app.

However, seven apps did not reveal that they were sharing user data with outside people. Of these seven, the research team said it was unable to determine whether application developers were sharing user data with a third party intentionally and without user permission, or if user data leaked online as part of a security incident, such as an exposed server or a hacker intrusion.

Facebook resumes its development policy in hand

The result was bad email traffic, the researchers said, revealing that in the case of honeytokens shared by three applications, the inboxes received emails containing threats of sextortion, spam and other scams. Researchers said they only found 16 apps with this behavior, but that’s because they only used a small sample of 1,024 apps. If other apps need to be tested, researchers expect to find others that share user data with third parties.

Academics have opened CanaryTrap research and related tools on GitHub. They said they shared CanaryTrap “to help independent monitoring organizations detect abuse of data shared with third-party applications without the cooperation of online social networks.”

A Facebook spokesperson said the company is still analyzing the CanaryTrap paper. However, the social network is well aware of its problem of “dishonest application developers” and, in recent years, it has taken steps to clean up its developer base. Over the past year, Facebook has sued several developers and changed its terms of use and development policies to gain more power in enforcing strict controls on user data.

The latest change in Facebook’s fight against app developer abuse took place on Wednesday when Facebook announced its most recent set of updates to developer platform conditions and policies, due to take effect on 31 August 2020. The company said the new terms limit the information developers can share with third parties without receiving explicit user consent, and also guarantee that developers understand that they have a responsibility to protect user data if they use the Facebook platform and user base to develop their own business. Theoretically, these new changes fill the gaps reported by the CanaryTrap team.



Rate article