Facebook permissions bug locks in malicious apps

[UPDATE] A bug in the Facebook mobile app allows a malicious app to prevent users from removing it. Updated to include Facebook reaction.

A malicious Facebook app could prevent the user from revoking permissions or removing the app, according to MyPermissions, an ISV that makes software to protect user privacy.

[Update: A Facebook engineer responded to MyPermissions: "We've been in touch with MyPermissions directly and are waiting to receive more information from them. At this point, we haven't been able to reproduce the reported issue or validate the existence of a vulnerability."]

Facebook apps often require capabilities to access and use personal information. Consider iPhoto below:


According to MyPermissions, an app author "... could make it impossible for you to revoke an app's permission to access your information." Presumably this would be a malicious app. The user would be unable to remove it. If they tried, they would get the one of the error screens below:


The bug only affects the Facebook mobile app but, as the company says, "... nearly half of Facebook's users now access Facebook almost exclusively from their mobile phone." It's also very easy to forget about an app that is installed in your account.

The company says they have reached out to Facebook and that Facebook expects to provide a fix promptly. This story has been updated to include an initial response from Facebook.