Apps that bite

Popular software applications (apps) available on Facebook let you take a quiz or play games like Farmville and Scrabble with others. Many social network users we surveyed were either confident that such apps are secure or hadn't given the subject much thought. But we project that 1.8 million computers were infected by apps obtained through a social network in the past year.

Kevin Johnson, a senior analyst at the security consulting firm InGuardians, recently showed how easy it can be to place an app on Facebook that does more than meets the eye. His app, KanyeWestify, imitates an infamous exchange between Kanye West and Taylor Swift during a music-awards show. The app posts a message on selected friends' walls in response to their status updates, telling them Beyoncé does whatever they did better. But Johnson says it also allowed him to grab the browsing history of anyone who signed up to use it, along with profile data of the user and friends. He says he has since removed the app's history-collecting capability.

Johnson isn't surprised that his deceptive app wasn't weeded out and removed from the network by Facebook. He says the company does a pretty good job of catching apps that download malicious software, adding, "But Facebook doesn't remove those that collect data, because it's within their terms of service."

A Facebook representative told our reporter that the company requires app developers to ask only for data that's needed for the application to function. Facebook says that it enforces the policy through spot checks and has disabled apps found in violation. It also says that no app can access the contact information or other sensitive information of any Facebook user without their permission.

When we tried to download an app, however, the service displayed a notice saying that the app can grab your profile information, photos, friends' info, and other content that is necessary for it to work. That could include a lot of sensitive information. For example, your profile can include your hometown and your children's names.

When you use an app, its developer can collect non-contact information from all of your friends' Facebook acounts. But anyone can protect their data from apps they're not using by setting a privacy control.