First, their title sure as hell is sensationalist. Facebook wasn’t “hacked,” unless you consider someone violating an end-user license “hacking.” No technical controls were circumvented. The headline is there to get pageviews, period.

Second, the TOS was not usurped, it was violated, and the programmer was not clever. The Facebook API supports this behavior, for heaven’s sake! That’s why the TOS forbids it and why there are two mechanisms by which end-users can control the level of access applications have to their information.

Third, I did read the article.

Fourth, RWW was wrong on the facts, just as the BBC was. Read the third paragraph in their story. I’ll reproduce it here:

It’s possible for a malicious Facebook application, like the one used in the news story, to masquerade as a game or a quiz. And unlike protecting yourself from phishing emails, it’s not simply good enough for you to “know better” yourself – if even one of your friends installs the app, your details get stolen too.

This is simply wrong. Facebook’s Application Privacy page is there precisely for this purpose. I can stop my friends’ applications from accessing my information. The level of control I have is surprisingly granular, actually.

But yes, most users aren’t savvy enough to move beyond the default settings, and most don’t read the fine print. Of course I understand that.

At best the evidence supports an argument that Facebook users are at risk to have some of their person details stolen by third-parties. Given that I know of no instance where this scenario played out, at least the “severe” scenario painted by the BBC and RWW, I’m not too worried and Grandma shouldn’t be either.

In short, all of this is intended behavior. Facebook anticipated it two years ago when they first launched the API and put several levels of control to prevent it. Both the BBC and RWW, by talking about “exploits,” “attacks,” “hackers,” etc. are just ginning up an empty story to get pageviews. Simple as that.

RWW go on to point out the need for user action to allow such exploits to work. They also privilege their readers to the facts that commenter Robin Cannon pointed out: most users are unaware of the risk involved in allowing 3rd party access to data. Most users don’t understand REST requests or APIs. Most users would be shocked to find out that their favorite Facebook applications are not official Facebook properties in the least. (Do you actually think most people pay attention to all the squiggly patterns that you and I call “words” (aka the plain warnings about 3rd party authorization)?? They don’t.)

The BBC was using language that they knew the common person would understand and hoped it would force them to be very leery next time they log into Facebook (as well they should be)… something you, in a hasty act of injustice, are trying to downplay.

So, in the interest of all the “moms” out there take a step back and recall the BBC piece and then read your article… who is dangerous? You are. After watching the BBC piece my Mom would be incredibly cautious with her Facebook account for fear of “hackery” or foul-play. Your article, on the other hand, make’s it sound like the world is peachy and Facebook and “the law” are policing everything to keep us all safe from malice. Anyone with an iota of intelligence and know-how concerning the web should be well aware that our data are not safe and average people need all the help they can get in realizing that they should not be so free with their trust. In the future I would hope, that in the interest of my mom, you would think twice before A.) trying to “punk out” mainstream media for informing their audience of the dangers of personal information online and B.) Criticizing a headline of a fellow blog without reading the article it identifies.

I’ll eat my words if there’s one instance of identity theft aided by this technique. IMO it’s too complicated, the benefit is too little, and it’s too easy to mitigate if it becomes known.

I see, for example, people getting their Facebook accounts phished on a regular basis and spamming their friends with ring tone offers. People who have access to a real, live account can do much more damage, e.g., they can get people’s emails and phone numbers, which is simply impossible with the API.

As regards the article as a whole, while I think the BBC exaggerated the danger some, I think this underestimates it. Yes, I think Facebook has got itself legally covered because of the options it’s providing users. But I also think it’s legitimate to highlight that many (most?) Facebook users may not be the most tech-savvy and that the potential dangers, and the extent to which they can protect themselves using Facebook’s own settings, are going to go over their head. Certainly it’s not something that Facebook highlights, for obvious reasons.

Look at the privacy page. There are no references to any specific applications.

It applies to any and all applications I haven’t explicitly granted or denied access to my information. It says that right in the text of the page: “The following settings apply only to Facebook Platform applications to which you have not already granted access or explicitly restricted.”

I can do three things with applications: whitelist them, blacklist them, and set the default access policy. The Application Privacy page, which is the section you’re quoting, lets me set the default policy.

I’ve set it so, by default, applications can only get my profile photo. If a friend installs an app I haven’t whitelisted or blacklisted that’s all it can access.

>> For application that I haven’t installed but my friends have installed, I have full control over >> what they can and cannot see on Facebook’s Application Privacy page.

the problem is – you even don’t know what apps your friends use
so how can you block them. supposed that you trust your friends.