Facebook dev move won't stop rogue apps, say researchers

Security researchers today said Facebook's new requirement that developers link legitimate accounts to their software won't stop rogue applications from infecting its users with adware.

On Wednesday, Facebook announced that it will now demand that developers verify a Facebook account to create new apps on the service.

"We're taking this step to preserve the integrity of Facebook Platform, ensuring that every application is associated with a valid and real Facebook account," Niket Biswas, an engineer and technical project manager on the platform engineering team, said in an entry on the Facebook developer blog .

Developers can establish they have a legitimate Facebook account by confirming their mobile phone number or adding a credit card to the account. Facebook requires the same confirmation for users who want to upload large video files.

Although Biswas didn't mention rogue Facebook apps, the move was clearly aimed at trying to stop cybercriminals from building bogus software that dupes users into downloading other programs, including pop-up spewing adware.

"That's not going to hurt [the criminals] one little bit," said Roger Thompson, the chief technology officer for antivirus company AVG Technologies, in an instant message. Thompson has tracked several of the attacks against Facebook users launched by hackers on three consecutive weekends .

"Facebook is entirely too open at the moment," Thompson added. "Anyone can be a developer, with no cost to them at all."

Rik Ferguson, a senior security advisor at Trend Micro, agreed.

"What guarantees are there that any Facebook account is 'valid and real' in the first place?" he asked in a post today on Trend's CounterMeasures blog. "Secondly, proving access to a credit card or mobile phone is a whole different thing to proving ownership. If criminals or scammers, who we must assume have ready access to disposable mobile numbers and/or stolen credit cards, attach some of these bogus credentials to an already bogus account, where does that leave us?"

Ferguson answered his own question a moment later. "It leaves us with a fake 'confirmed' profile which is once again free to post any application content they choose, and it leaves Facebook incident handlers continuing to play Whac-A-Mole with the scammers," he said.

Both Ferguson and Thompson said that the only viable move Facebook could take would be to mimic Apple's App Store. Software for the iPhone and iPad must go through a review and approval process before Apple deigns to stick a program on its e-mart.

"If Facebook really wants to turn around the security situation when it comes to malicious or rogue content, then the only effective option is an application approval process, such as the ones already in place over on MySpace or on the Apple App Store," said Ferguson.

Thompson had the same idea, though he didn't think it was feasible for Facebook . "I don't think they can do much more without going to the App Store model, which is contrary to their business [model]," he said.

But Ferguson countered. "The effort that Facebook incident handlers currently put in to tracking down and suspending the ever-increasing volume of rogue apps would surely be better channeled into stopping them from appearing in the first place," he said.

For three weekends in a row, Facebook users have faced rogue app-based attacks that plant adware on their PCs. This week, users have dealt with a string of so-called "like-jacking" attacks that spread links to malicious sites using Facebook's "Like" feature.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld . Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@ix.netcom.com .

Read more about security in Computerworld's Security Topic Center.