Facebook's new features secretly add apps to your profile

When a piece of software is automatically installed on your computer without your knowledge, it's called malware. But what do you call it when Facebook apps are added to your profile without your knowledge? We discovered Wednesday that this is actually happening, and stopping it isn't as easy as checking a box in your privacy settings.

If you visit certain sites while logged in to Facebook, an app for those sites will be quietly added to your Facebook profile. You don't have to have a Facebook window open, you don't need to be signed in to these sites for the apps to appear, there's no notification, and there doesn't appear to be an option to opt-out anywhere in Facebook's byzantine privacy settings.

The apps appear to be related to Facebook's latest sharing features and tools. The sites currently leaving this trail all have Facebook integration, and the list includes heavyweights such as the Gawker network of blogs, the Washington Post, TechCrunch, CNET, New York Magazine, and formspring.me.

It isn't entirely clear what information these apps are pulling from user profiles or feeding back to Facebook. They aren't automatically visible to friends viewing your profile page, but if you go to an application's profile page, you can see a list of your friends who also have that app installed, essentially getting a unintentional peek at their browsing habits. On the other side there are sites like the Washington Post's, which has a Facebook Network News box showing a list of your friends who have recently shared a Washington Post article on Facebook.

How to block the apps

Opting out of Instant Personalization does not stop these apps from appearing. Unfortunately, removing these kinds of applications requires more vigilance than just altering a setting.

To see a list of your current Facebook applications, click Account in the top right corner of Facebook, then select Application Settings from the drop-down menu. If you click on the Edit Settings link for one of the new applications, you'll always see one tab called Additional Permissions that has a box that's unchecked by default. Checking it will give that application permission to "Publish recent activity (one line stories) to [your] wall." Sometimes there is a second tab with an option to add a bookmark for that link to your wall. And a few apps also have a Profile tab where you can add a box to your profile for that site and pick a privacy level for it.

Clicking the X to delete an application will temporarily remove it from your applications list, but it will just be re-added as you return to that site. One work-around is to always log out of Facebook before surfing the Web. Another is to block each application after it appears. In order to permanently block an application, you have to click on the Profile link for that application in the Applications Settings window, then click Block Application in the menu on the left side of the app's page.

What Facebook intended

The new features in Facebook's newly rolled-out Open Graph API are supposed to be used, with permission, for things like cross posting comments and reviews on Facebook and external sites. For example, if you are logged in to a site like PC World or Macworld using Facebook Connect and you leave a comment on an article, you'll see a pop-up message asking if you'd like to publish the comment as a story to your wall. If you click Publish, the comment will show up in your friend's news feeds.

It's already been a rough week for Facebook and privacy. Recent issues have given the impression of a disorganized and buggy platform, and raised concerns about Facebook's ability to responsibly store and manage users' private information. Hopefully this latest issue is just another bug and not a new way of operating for the social networking site.

 

Facebook's Response

After this story was published, Facebook spokesperson David Swain contacted us and confirmed that the appearance of unauthorized apps was a bug:

In this case, there was a bug that was showing applications on a user’s Application Settings page that the user hadn’t authorized. No information was shared with those applications and the user’s list of applications was not shown to anyone but the user. This bug has been fixed.

It does appear that unauthorized apps are no longer being added to users' pages, however any unwanted applications that were previously added will still need to be removed manually.

Article updated at 12:00pm to include a response from Facebook.

Subscribe to the Macworld Daily Newsletter

Comments