Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
1/27/2016
10:15 AM
Michael Sentonas
Michael Sentonas
Partner Perspectives
50%
50%

When It Comes To Facebook Apps, Be Like Mike -- Not Bill

New apps such as Be Like Bill raise a red flag when it comes to privacy.

This is Mike.

Mike works in the security industry and is concerned about his privacy.

Mike wonders why people sign up for Facebook apps so quickly.

Mike doesn’t sign up for Facebook apps without a quick read of the terms of agreement.

Mike is smart.

Be like Mike.

A few months ago, people on Facebook were up in arms over a perceived breach of their privacy (which turned out to be a hoax), so they were posting the following status:

"As of September 29, 2015 at 10:50 p.m. Eastern standard time, I do not give Facebook or any entities associated with Facebook permission to use my pictures, information, or posts, both past and future.” And so it went on for another 100 words or so. Aside from the fact that this was in response to a hoax, there was quite a lot of noise made about this supposed violation of their privacy. But my question is, how quickly do they give up their privacy when presented with a new app or new technology?

Fast forward to last week, and many people were creating posts with an app that does a cute summary of their actions or personality, accompanied by a stick figure. Now this app, Be Like Bill, has a pretty good privacy policy and terms. They clearly state, in a brief and readable format, that the information collected is only used to generate the post, will not be stored on the server, and will not be provided to other companies. The only clause that elicits any concern allows them “to use, edit your content with our service permanently, no limit and no recover.” I understand that this makes it a lot simpler to run the site without having to respond to concerns or requests to delete a post, but it does significantly reduce your options.

Many of these fun quizzes or posts go through everything that you have done on Facebook. That should raise a red flag about the potential privacy issues, but millions of people install them and trade their privacy for a brief moment of fun. Unfortunately, there’s a very fine line between an app that’s fun and one that can be damaging. Most fall in the fun category and ask for a limited set of information. However, at least one recent app asked for a bit more. 

If you install that app and give permission, the developers can harvest your:

  • Name, profile picture, age, sex, birthday, and other public info
  • Entire friend list
  • Everything you have ever posted on your timeline
  • All of your photos and photos you are tagged in
  • Education history
  • Hometown and current city
  • Everything you have ever liked
  • Your IP address
  • Info about the device you are using, including browser and language

I am not saying that this particular app is malicious, but no quiz or app should need access to this level of detail. They may or may not promise in the user agreement not to store it, use it, or sell it, but either way you have lost control of your data and associated privacy. It is much better for apps not to ask for it in the first place.

Harmless Or Harmful?

As a consumer, how do you tell the difference between fun and potentially damaging? Look closely at what the app is asking for, and think about the potential risk of that data. Consumers are the big target of these apps, and where security and privacy are concerned, people are always the weakest link. This same info could be used to guess passwords, security questions, or even impersonate someone for a bit of live social engineering, all of which have serious business implications.

Now, people have not been reading terms of agreement for decades, and they are not likely to start anytime soon. What I would like to figure out is why didn’t the Facebook privacy hoax rampage provoke concern over other apps? Or more important, what do we need to do differently so that data requests by every app, device, and Web page are treated with appropriate levels of privacy concern? Because at this rate, it is only a matter of time before we might as well just publish everything and save our adversaries the trouble.

Michael Sentonas is the Chief Technology and Strategy Officer, APAC for Intel Security. Michael has been with the company for fifteen years, previously holding leadership roles such as VP and Chief Technology Officer of Security Connected, VP and CTO for Asia Pacific and, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MichaelSentonas
50%
50%
MichaelSentonas,
User Rank: Apprentice
2/1/2016 | 1:07:37 AM
Re: Data and apps
All great points!
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/29/2016 | 8:42:03 AM
Data and apps
It's also worth pointing out that many bad-doers take the tack of creating an app that seems like fun (and maybe sometimes it is) -- and then they turn around and harvest the data and do bad things with it.

I think it also helps to see who is behind the silly app.  Major companies, for example, have a lot to lose by doing anything worse with your data than selling it to marketers.  OTOH, indie game designers with a good reputation are less likely to even do *that* with your data.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...