Facebook permissions bug locks in malicious apps

Summary:[UPDATE] A bug in the Facebook mobile app allows a malicious app to prevent users from removing it. Updated to include Facebook reaction.

A malicious Facebook app could prevent the user from revoking permissions or removing the app, according to MyPermissions, an ISV that makes software to protect user privacy.

[Update: A Facebook engineer responded to MyPermissions: "We've been in touch with MyPermissions directly and are waiting to receive more information from them. At this point, we haven't been able to reproduce the reported issue or validate the existence of a vulnerability."]

Facebook apps often require capabilities to access and use personal information. Consider iPhoto below:

FBPermissions

According to MyPermissions, an app author "... could make it impossible for you to revoke an app's permission to access your information." Presumably this would be a malicious app. The user would be unable to remove it. If they tried, they would get the one of the error screens below:

FB.Error.Screens

The bug only affects the Facebook mobile app but, as the company says, "... nearly half of Facebook's users now access Facebook almost exclusively from their mobile phone." It's also very easy to forget about an app that is installed in your account.

The company says they have reached out to Facebook and that Facebook expects to provide a fix promptly. This story has been updated to include an initial response from Facebook.

Topics: Security, Mobility, Social Enterprise

About

Larry Seltzer has long been a recognized expert in technology, with a focus on mobile technology and security in recent years. He was most recently Editorial Director of BYTE, Dark Reading and Network Computing at UBM Tech. Prior to that he spent over a decade consulting and writing on technology subjects, primarily in the area of sec... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.