Facebook's new social features allow apps to be added to user profiles without notification being given to the user. Macworld discovered this new security concern and compared it to malware considering the secretive nature surrounding the way these apps are being added.
When a user goes to specific websites whilst logged into Facebook an app for the website is instantly added to the user profile. There is no prompt to the user, the Facebook window does not have to be open and you do not need to be signed into the website which adds the app. Currently there is no option to stop the app from being added in Facebook's privacy and application settings.
The websites which add themselves automatically all appear to have Facebook's new sharing features integrated into their webpages. Macworld lists the Gawker network of blogs, the Washington Post, TechCrunch, CNET, New York Magazine and formspring.me as websites which automatically add themselves.
These apps are not visible to friends on the user's profile page but users are able to view friends who also have the app installed on the app's profile page. In a way allowing users to see others somewhat vague browsing history provided the websites they visit have Facebook integration.
It is important to note that opting out of the new 'Instant Personalisation' feature does not stop these apps from being added. Clicking the 'X' will delete the app but it will be added once you return to the website which was deleted. There is no current way of stopping this. Under the 'Edit Settings' link for the added apps there will generally be a tab named 'Additional Permissions' which typically has the option 'Publish recent activity (one line stories) to my wall'. It is currently unchecked by default.
Facebook's intent seems to be if users publish comments or interact with other websites through Facebook Connect ,which have Facebook's new integration features, they would be prompted to post the information on their Facebook profile.
Whilst this new issue does not directly publish information onto users' Facebook feeds or profiles it does raise concerns over user control over apps. The news of these secret apps comes just after a bug was revealed to allow users to see other users Facebook chats.
Update: Facebook have issued the following statement:
Application developers must comply with our Developer Principles and Policies, which require that applications provide a trustworthy experience. We have a dedicated team that conducts spot reviews of top applications and of many other applications, including looking at the data they need to run the application versus the data they gather. This team regularly enforces our guidelines and disables applications that we find to be in violation.
There was a bug that was showing applications on a user’s Application Settings page that the user hadn’t authorized. No information was shared with those applications, and the applications did not appear to anyone but the user. This bug has been fixed.