By the Webroot Threat Team
Anyone clicking on the lollipop displayed on the site is asked to let the application access a panoply of information about them from Facebook, in addition to other privileges, such as posting as them. If they accept, they get to see the application’s payload: a video in which an unhinged man views their Facebook account, growing increasingly distressed as he looks at their pictures, wall posts, and friends’ status updates.
The whole thing is incredibly well done. It ends with the disturbed Facebook stalker driving towards your location (you knew that Facebook stored your hometown location, right?) and getting out of the car in a menacing fashion. Taped to his dashboard is a Polaroid, containing your profile picture. Chilling stuff.
What is even more chilling is the fact that this website is able to harvest so much information about you after you click the ‘Allow’ button in the dialogue box that it throws up. What else have you allowed access to, and how much do these applications know about you?
There is an even more important question: who is writing these Facebook apps, that harvest your most intimate personal and social data? There are seven million web sites and applications integrated with Facebook, many of which request privileged access to your account data before they will give you what the developers promise. Most people blindly allow these applications access, without thinking about where the information might be going.
It takes almost no effort to become a Facebook developer. The company introduced some basic developer verification procedures last year, such as providing a credit card number, or a mobile phone number. But of course, we know how many credit cards are stolen each year, don’t we? And how many mobile phones are stolen or cloned each week?