Slashdot reader lod123 quotes ThreatPost:
At least 25,936 malicious apps are currently using one of Facebook’s APIs, such as a login API or messaging API. These allow apps to access a range of information from Facebook profiles, like name, location and email address. Trustlook discovered the malicious apps using a formula, which created a risk score for apps based on more than 80 pieces of information for each app, including permissions, libraries, risky API calls and network activity… A malicious app (with a risk score above 7) “might be doing things such as capturing pictures and audio when the app is closed, or making an unusually large amount of network calls,” a spokesperson told Threatpost…
To be fair, Facebook is not the only company with its APIs embedded in malicious applications… “The problem, for the most part, is that this is data that is provided when their login is used elsewhere. The API is simply passing through intelligence it has gathered from their profile,” said Chris Roberts, chief security architect at Acalvio, via email. “LinkedIn, Google and Twitter, among others, have similarly flawed APIs that can be used to harvest information both about you (the target) and possibly associated individuals…depending upon queries and other developer privileges that are being exploited.”

A Trustlook spokesperson summarized their position after the report. “Just as Coke does not want its ads running on certain websites, Facebook should not want malicious app developers using its APIs.”

Read more of this story at Slashdot.

Source: Slashdot – Tens of Thousands of Malicious Apps Use Facebook’s APIs