Facebook has announced that developers of Facebook apps can now gather personal contact information from their users.
“User Address and Mobile Phone Number
We are now making a user’s address and mobile phone number accessible as part of the User Graph object. Because this is sensitive information, we have created the new user_address and user_mobile_phone permissions. These permissions must be explicitly granted to your application by the user via our standard permissions dialogs.
Please note that these permissions only provide access to a user’s address and mobile phone number, not their friend’s addresses or mobile phone numbers.”
The article on the Facebook developers blog goes onto post JavaScript SDK code to enable this.
Security firm Sophos describes it as ‘a move that could herald a new level of danger for Facebook users’ and advises users to remove their home address and phone numbers from the network immediately.”
Facebook post: http://developers.facebook.com/blog/post/446
Graham Cluley writing on naked security says:
“Facebook is already plagued by rogue applications that post spam links to users’ walls, and point users to survey scams that earn them commission – and even sometimes trick users into handing over their cellphone numbers to sign them up for a premium rate service.
Now, shady app developers will find it easier than ever before to gather even more personal information from users. You can imagine, for instance, that bad guys could set up a rogue app that collects mobile phone numbers and then uses that information for the purposes of SMS spamming or sells on the data to cold-calling companies.
The ability to access users’ home addresses will also open up more opportunities for identity theft, combined with the other data that can already be extracted from Facebook users’ profiles.”
Full article: http://nakedsecurity.sophos.com/2011/01/16/rogue-facebook-apps-access-your-home-address-mobile-phone-number/