Facebook's new features can secretly add apps [Updated]

Facebook's new social features allow apps to be added to user profiles without notification being given to the user. Macworld discovered this new security concern and compared it to malware considering the secretive nature surrounding the way these apps are being added. 

When a user goes to specific websites whilst logged into Facebook an app for the website is instantly added to the user profile. There is no prompt to the user, the Facebook window does not have to be open and you do not need to be signed into the website which adds the app. Currently there is no option to stop the app from being added in Facebook's privacy and application settings. 

Facebook secret apps

The websites which add themselves automatically all appear to have Facebook's new sharing features integrated into their webpages. Macworld lists the Gawker network of blogs, the Washington Post, TechCrunch, CNET, New York Magazine and formspring.me as websites which automatically add themselves. 

These apps are not visible to friends on the user's profile page but users are able to view friends who also have the app installed on the app's profile page. In a way allowing users to see others somewhat vague browsing history provided the websites they visit have Facebook integration.

It is important to note that opting out of the new 'Instant Personalisation' feature does not stop these apps from being added. Clicking the 'X' will delete the app but it will be added once you return to the website which was deleted. There is no current way of stopping this. Under the 'Edit Settings' link for the added apps there will generally be a tab named 'Additional Permissions' which typically has the option 'Publish recent activity (one line stories) to my wall'. It is currently unchecked by default. 

Facebook's intent seems to be if users publish comments or interact with other websites through Facebook Connect ,which have Facebook's new integration features, they would be prompted to post the information on their Facebook profile. 

Whilst this new issue does not directly publish information onto users' Facebook feeds or profiles it does raise concerns over user control over apps. The news of these secret apps comes just after a bug was revealed to allow users to see other users Facebook chats. 

Update: Facebook have issued the following statement:

Application developers must comply with our Developer Principles and Policies, which require that applications provide a trustworthy experience. We have a dedicated team that conducts spot reviews of top applications and of many other applications, including looking at the data they need to run the application versus the data they gather. This team regularly enforces our guidelines and disables applications that we find to be in violation.

There was a bug that was showing applications on a user’s Application Settings page that the user hadn’t authorized. No information was shared with those applications, and the applications did not appear to anyone but the user. This bug has been fixed.

Report a problem with article
Previous Story

Sprint 4G coverage expanding alongside release of EVO 4G

Next Story

Opera: ‘Flash makes little sense for video', ARM joins debate

42 Comments

Commenting is disabled on this article.

They are not "installing apps" and no data is being transmitted to the application. The applications are merely being listed in the Recently Visited Apps section, just like if you had visited the app's profile page (and not installed the app).

Ugh. Really, people?

Foolproof solution: if you don't want these apps that allow you comment on websites using your facebook account, then DON'T USE YOUR FACEBOOK ACCOUNT to comment on said websites. Make an account on the website, completely separate from your facebook account, and this whole "problem" will be avoided. Not that big of a deal.

Kaidiir said,
Ugh. Really, people?

Foolproof solution: if you don't want these apps that allow you comment on websites using your facebook account, then DON'T USE YOUR FACEBOOK ACCOUNT to comment on said websites. Make an account on the website, completely separate from your facebook account, and this whole "problem" will be avoided. Not that big of a deal.


you dont have to do anything in your post. simply browse to a site with fb open in you browser to a site that is in this program and it will install an app.

Kaidiir said,
Ugh. Really, people?

Foolproof solution: if you don't want these apps that allow you comment on websites using your facebook account, then DON'T USE YOUR FACEBOOK ACCOUNT to comment on said websites. Make an account on the website, completely separate from your facebook account, and this whole "problem" will be avoided. Not that big of a deal.


learn to read, this has nothing to do with commenting on websites with your fb account

I need step-by-step instruction to add "static.ak.connect.facebook.com" to Windows Host File in Windows 7. Thanks in advance.

I was considering deleting my FB profile a few days ago due to the constant crap that's on there. Friends apps constantly trying to spam me etc. My profile is now scheduled for deletion in 14 days

Shaun. said,
I was considering deleting my FB profile a few days ago due to the constant crap that's on there. Friends apps constantly trying to spam me etc. My profile is now scheduled for deletion in 14 days
Same here. This was now the 4th and final time I was tempted to delete my profile.

Edited by DVSBSTD, May 6 2010, 6:48pm :

Break.com seems to be one of them too.

This one day after the chat leak. Seriously Facebook? What is your plan? Self destructing your service before the end of the year and a quick cash in on selling our information despite how we set our privacy settings? Because you seem to be right on track with the self destruction part.

There is a way to block it once it already appears on your application list. In the application settings menu, click profile, then on the app's profile page, click block application.

This won't fix new applications from appearing, but will prevent the ones you block from reappearing.

Ryoken said,
Facebook need to go back to their roots.

Not going to happen. Whatever info you put up there they want to money out of it. Not going to get any better. I'm just about hanging on as I can still make most of the stuff I don't want shared private but when they start removing those options I think I will bite the bullet and leave even if it is handy to stay in touch with some friends.

Is this part of the Instant Personalization Pilot Program? Because while that is on by default (wtf), you can turn it off.

thornz0 said,
Is this part of the Instant Personalization Pilot Program? Because while that is on by default (wtf), you can turn it off.

From the article:

It is important to note that opting out of the new 'Instant Personalisation' feature does not stop these apps from being added.

Seems TG Daily are also using it.
Here's the actual facebook code that seems to be executing to add the apps - hxxp://static.ak.connect.facebook.com/js/api_lib/v0.4/FeatureLoader.js.php

I know it's not the best solution but i've done some testing and you can actually stop this behaviour occuring by adding static.ak.connect.facebook.com to your Windows hosts file... or some other blocklist.

VWW said,
Seems TG Daily are also using it.
Here's the actual facebook code that seems to be executing to add the apps - hxxp://static.ak.connect.facebook.com/js/api_lib/v0.4/FeatureLoader.js.php

Superb, added to my adblock list, I hope it does the job.

I do have concerns about current culture ability to just give up there info to the public, however if controls are in place to allow a person to chose for themselves, if they want to the share with the world, that's there call.

When a company backdoors stuff, that's a big problem.

Anarkii said,
I have to say, Facebook needs to redo its privacy from scratch. This is getting out of hand

It seems as if there isnt proper testing before the product is rolled out...surely a little bit of beta testing would have produced this flaw

Anarkii said,
I have to say, Facebook needs to redo its privacy from scratch. This is getting out of hand

Not gonna happen. Last time I checked Facebook was still bleeding money. User data is what they use for creating revenue. Less data available would not be a good business decision.

Edited by opensuse, May 6 2010, 4:57pm :

opensuse said,

Not gonna happen. Last time I checked Facebook was still bleeding money. User data is what they use for creating revenue. Less data available would not be a good business decision.

It's no wonder why. Facebook has to be one of the dodgiest companies around these days.


"Here, enjoy this new feature." Months later... "and now everything you did with it is public!"


It's becoming incredibly hard to justify using Facebook even as a simple directory, which is a shame because I actually like the design and idea, but I absolutely detest the implementation.

TogaForComfort said,
I really am considering deleting my facebook account. I keep seeing too many things like this being added.

Agreed. I can't keep taking these strikes against my privacy. It is getting too nasty.

Frazell Thomas said,

Agreed. I can't keep taking these strikes against my privacy. It is getting too nasty.


i'm deleting my account soon...

Sebianoti said,

i'm deleting my account soon...

"Ok".


I've been on the verge of deleting my acc several times... I can't seem to actually do it though. =/

Edited by Twisp, May 6 2010, 7:27pm :

Twisp said,

"Ok".


I've been on the verge of deleting my acc several times... I can't seem to actually do it though. =/

Me, too. I have that feeling right now but I know I don't have the balls.

this is disturbing to say the least.
using the same username or your real name is generally a bad idea on the web except for very few reputable sites/things such as mmo/shopping/banking. fb is the only "publicly viewable" site i use my irl name on, and i use a variety of handles for other sites i visit.
just ask boxxy about using the same username/handle on multiple social networking sites...

treemonster said,

just ask boxxy about using the same username/handle on multiple social networking sites...

Yeah no kidding. Boxee logged me in automatically to Youtube without asking because my username and password was exactly the same as in Boxee.

EmuZombie said,

Yeah no kidding. Boxee logged me in automatically to Youtube without asking because my username and password was exactly the same as in Boxee.

lol what? l2rinternet

EmuZombie said,

Yeah no kidding. Boxee logged me in automatically to Youtube without asking because my username and password was exactly the same as in Boxee.

Boxxy was a troll from 4chan. I don't quite know what happened to her though... I knew her real name was uncovered and I remember seeing a pic of her yearbook, so what did /b/ do to her?

advancedboy said,

Boxxy was a troll from 4chan. I don't quite know what happened to her though... I knew her real name was uncovered and I remember seeing a pic of her yearbook, so what did /b/ do to her?


All I have to say is: ...