Facebook permissions bug locks in malicious apps

Facebook permissions bug locks in malicious apps

Summary: [UPDATE] A bug in the Facebook mobile app allows a malicious app to prevent users from removing it. Updated to include Facebook reaction.


A malicious Facebook app could prevent the user from revoking permissions or removing the app, according to MyPermissions, an ISV that makes software to protect user privacy.

[Update: A Facebook engineer responded to MyPermissions: "We've been in touch with MyPermissions directly and are waiting to receive more information from them. At this point, we haven't been able to reproduce the reported issue or validate the existence of a vulnerability."]

Facebook apps often require capabilities to access and use personal information. Consider iPhoto below:


According to MyPermissions, an app author "... could make it impossible for you to revoke an app's permission to access your information." Presumably this would be a malicious app. The user would be unable to remove it. If they tried, they would get the one of the error screens below:


The bug only affects the Facebook mobile app but, as the company says, "... nearly half of Facebook's users now access Facebook almost exclusively from their mobile phone." It's also very easy to forget about an app that is installed in your account.

The company says they have reached out to Facebook and that Facebook expects to provide a fix promptly. This story has been updated to include an initial response from Facebook.

Topics: Security, Mobility, Social Enterprise

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • WOAH NELLIE! ! !

    What's the Devil doing in FaceBook?
    I was going to install this but not until I have control of my privacy's.
    • D.

      He actually created Facebook.
  • Privacy with Facebook???

    Hmmm, I wasn't aware such a thing as privacy existed on Facebook...hehe!
  • Social sites a godsend to loss of privacy

    Seriously, do people even care about lost information anymore? I think when you consider the Target breeches, the Google information miners of the world and all the loosely kept information is a hackers dream come true. Most people deserve a rogue app like this because nobody really reads the disclosures of what information your sharing. Nobody cares until they have their identity stolen or credit card information or their bank account cleaned out. Then of course they care and will no doubt blame the Facebook's or Android app stores of the world. Ask yourself people, if someone came up to you and offered you $20 if they could get your name, address, credit card number and other personal information would you do it? The best protector of your information is you.