Beware of Third Party Facebook Application Security Risks

You’ve seen it all over the place…  Privacy Concerns, Security Issues, Identity Stolen, Dangers of Social Networking, Social Media Threats, Personal Information Sold.  All too often Facebook is the culprit; notorious for breaching the confidences of the hundreds of millions of users who have profiles on the ever-popular Social Networking site.  The Wall Street Journal reported yesterday that their own investigations into Facebook uncovered that many of the more popular third party applications being used on Facebook have been providing access of personal information to dozens of advertising companies.

Unfortunately, no one knows for sure how long the breach has been in place and who exactly has been effected by it. But it is clear that this problem has been occurring for quite some time. In fact, I wrote about this very topic earlier this year in my article Facebook Privacy Concerns Continue. And if you go to Google and type in “Facebook Security Issues” more than 72 Million pages of information is populated.

Facebook and other sites on the Internet currently track their users’ online activities and patterns.  They are supposed to be tracking this information anonymously, but instead Facebook has created an exclusive User ID number that is uniquely tied to the profile of each individual user.   As a result, some of the most popular third party applications being used on Facebook have been transmitting identifying information, essentially the user’s name and in some cases the user’s friend’s names to third party Internet Tracking and Advertising companies.  This issue is said to affect tens of millions of profile users on Facebook, including those users who have opted to use the strictest of privacy settings.  In that case only the name of the user was given but if a user did not use the highest level of security, the Facebook ID can also give any information that is set to “everyone” including age, where the user lives, occupation and any posted pictures.

The Journal reports that news of the breach came just after the company announced it had created a control panel that lets users see which apps are accessing which categories of information about them.  According to the Journal the problem has ties to the fact that many companies build detailed databases on people in order to track their online patterns.  It is this practice that has lead to the Journal and others to examine this issue further.  Facebook made an announcement on Sunday, October 17, that they would work to “dramatically limit” potential exposure of personal information to outside sources.  An unnamed spokesperson was quoted as saying:

A Facebook User ID may be inadvertently shared by a user’s Internet browser or by an application,” the spokesman said. Knowledge of an ID “does not permit access to anyone’s private information on Facebook.”

Although Facebook prohibits application makers from transmitting user data to outside advertising and data companies, The Journal reported that all of the 10 most popular apps on Facebook were transmitting users’ IDs to “at least” 25 outside data companies.  The application culprits include Zynga Game Network Inc., FarmVille, with 59.4 Million Users, Texas HoldEm Poker with 36.3 Million Users, Frontierville with 30.6 Million Users, Cafe World with 21.9 Million Users, Mafia Wars with 21.9 Million Users and Treasure Isle with 15.3 Million Users.    The other Apps known to be transmitting user data are Phrases with 43.4 Million Users, Causes with 26.7 Million Users, Quiz Planet with 16.5 Million Users,  and IHeart with 14 Million Users.  Currently there are more than 550,000 third party applications available for use on the site, most of which are the work created by independent software companies and are not created by Facebook itself.

It’s not clear if developers of many of the apps transmitting Facebook ID numbers even knew that their apps were doing so. The apps were using a common Web standard, known as a “referrer,” which passes on the address of the last page viewed when a user clicks on a link. On Facebook and other social-networking sites, referrers can expose a user’s identity.

The company says it has disabled thousands of applications at times for violating its policies. It’s unclear how many, if any, of those cases involved passing user information to marketing companies.

I am sure it is not sheer coincidence that this information comes out right on the cusp of the new movie “The Social Network” which was released earlier this month.  Or perhaps the movie came out as a result of all of the issues with Facebook security.  Either way, I find it ironic that during the creation of Facebook, (which was launched on October 23, 2003 from a Harvard dorm room) Zuckerberg was charged by the school administration with breach of security, violating copyrights, and violating individual privacy because he hacked into the protected areas of Harvard’s computer network in order to access and copy the houses’ private dormitory ID images.

The issues seem to be never ending and unless they make some drastic changes, the outcome could eventually be quite grim.  Could this be the beginning of the end for Facebook?


Warning & Disclaimer: The pages, articles and comments on do not constitute legal advice, nor do they create any attorney-client relationship. The articles published express the personal opinion and views of the author as of the time of publication and should not be attributed to the author’s employer, clients or the sponsors of

Join the Discussion

10 comments so far.

  • [Avatar for Car repos]
    Car repos
    August 2, 2011 08:38 am

    Hi Renee, I just found this blog when I looking up some privacy concerns about facebook. Despite all the potential security problems, they just continue to grow and grow. I deleted my facebook account because I was simply not assured about the security.

    Anyways, I just wanted to say that I enjoyed reading your post. Thanks – Richy

  • [Avatar for Gene Quinn]
    Gene Quinn
    November 1, 2010 08:31 pm


    Since you seem to want to throw around your weight as an “internet security expert,” allow me to expose what you for what you are — an imposter. What you say is objectively and provably false, demonstrating that you just don’t know what you are talking about.

    First, you ask if is engaging in a privacy breach. Obviously the answer is no, which you would have known had you read our privacy policy. So tell me Ryan, what kind of irresponsible “interent security expert” makes such irresponsible suggestions without doing any research? Our privacy policy is located at the bottom of every page on the site, as is standard practice within the industry, yet you wanted to make a point without having to do the heavy lifting of clicking. Oh poor baby!

    Second, you suggest that by clicking on any link on IPWatchdog that we could know that YOU, some guy named Ryan who pretends to be an “internet security expert,” is interested in IP Security. That is laughable and inaccurate. There is no way for us to know who YOU are personally. We can at best know that someone who was reading our page exited our site to go elsewhere. We collect no personally identifying information and we do not track you personally, which you would know if you: (1) read our privacy policy; (2) if you knew how Internet statistics work; or (3) if you were an “internet security expert.”

    What makes Facebook different is that YOU do have an account there and YOU do log into that account in order to access the website. You can’t access your account or other Facebook information without logging in. Have you noticed that? Have you also noticed that you don’t have to log in to access information on

    You can choose to have an issue with the Wall Street Journal. I have issues with them from time to time, but nothing you have said here is any proof that the article was a sham or that it was a hit job. You also failed to notice that right after this Facebook article the Wall Street Journal did a similar article on MySpace, but since that doesn’t fit your predetermined narrative you haven’t mentioned it.

    So when going to a website and taking issue you should be ready for those who know more than you to call you out, which I have. If you want to continue going back and forth please go right ahead, because I obviously know more about the Internet and how it works than you do.


  • [Avatar for Ryan Merket]
    Ryan Merket
    October 21, 2010 02:55 am


    Well, then I guess my many years of internet security research, and applied principals don’t hold much weight. So then, I am forced to call out your ‘sources’ as irrelevant to the discussion since they are ALL either sourcing the same irresponsible sham-piece by the WSJ, or so outdated that they don’t pertain to the WSJ accusations.

    Please, let me educate you and your readers. When you browse around Facebook, your browser’s location bar (the part of the browser that tells you where you are, eg: “”) updates with your current location. When you are on Facebook, there is a chance that you may be viewing your own profile when you click a link that takes you off of Facebook. What happens is, and this is where the so called “breach of your privacy” happens. Your BROWSER sends the current location bar text (or “referrer”) to the next web page. It just so happens the location you were at had your Facebook user id within it. Thus, PRESUMABLY the next site is storing the information and getting your, wait for this, YOUR NAME! Scary!

    If you want to talk SCARY, let’s look at IPWatchDogs current location for this article, “” – If I click ANY link on this site, I will be telling the site that I was reading article number 12861, in which they can then PRESUMABLY know that I was into IP Security, and interested in Facebook security… PRIVACY BREACH!

    There, now do you see why the WSJ article is a sham? It’s not Facebook’s privacy breach, it’s an internet protocol breach (more specifically HTTP).

    But since you don’t believe me, and think the press has it right. Here are some reputable sources who agree with me:

    TechCrunch (October 18, 2010) Fear and Loathing at The Wall Street Journal

    Forbes (October 18, 2010) Did the Wall Street Journal Overreact to Facebook Privacy Concerns?

    PC World (October 19, 2010) Facebook’s Latest Privacy Fears are No Big Deal

  • [Avatar for Renee C. Quinn]
    Renee C. Quinn
    October 21, 2010 12:01 am


    First let me start by saying thank you for reading our online magazine.

    Second, I am simply reporting the news. I clearly state in my article that this has been an issue that has been clearly documented over the years and that I myself have written about this very topic in the past. I am sorry that you feel I did not do my research and that I blindly “sourced” the Wall Street Journal, a publication you clearly disregard. With that being said, perhaps these other sources will more suitably meet your expectations.

    You see Ryan, I DID do my research… Did you?


    Fox News (October 19, 2010) Congress Questions Facebook Over Privacy (October 19, 2010) Facebook Privacy Breach Exposes Users’ Facebook IDs

    BBC News (October 18, 2010) Claim: Some Facebook Apps Pass on Personal Info on Users

    Fortune Magazine (October 18, 2010) Facebook’s False Choice: What it Should Have Done to Preserve Trust

    New York Times (October 17, 2010) Facebook Apps Leak User Info to Third Parties

    Business Week (September 15, 2010) Facebook Poses Security Risk at Work Study Finds

    Wired (August 6, 2010) Twitter, Facebook Attacks No Surprise to Security Experts

    News Channel 10 (July 29, 2010) Facebook Security Breach

    TechCrunch (May 17, 2010) Facebook Privacy Glitch Exposes Your Cheesy Movie Quotes

    Fortune Magazine (May 27, 2010) Why Facebook’s Privacy Woes Aren’t Over

    CNN (May 14, 2010) Facebook Launches New Security Feature “The change comes amid rising concerns about privacy and security on the online social network, which has 400 million members worldwide.”

    CNet (May 8, 2010) Five Hidden Dangers of Facebook

    NY Times (May 5, 2010) Facebook Glitch Brings New Privacy Worries

    PC World (May 5, 2010) Facebook Fixes Bug That Exposed Private Chats

    Digital Journal (April 23, 2010) Facebook Security Breach, Your ID May Be for Sale

    Fortune Magazine (February 9, 2010) Cybercrime, the Next Generation

    PC World (February 2, 2010) Facebook Poses Biggest Security Threat to Businesses

    eWeek (February 1, 2010) Facebook Privacy, Security Fears Grow with Social Network Risks

    Business Week (July 31, 2009) Military May Ban Twitter, Facebook as Security Headaches

    PC World (March 3, 2009) Facebook Hit by Five Security Problems in One Week

    CNet (September 8, 2008) Facebook Botnet Risk Revealed

    BBC News (May 1, 2008) Indentity “At Risk” on Facebook

    Information Week (October 3, 2007) Facebook Privacy Settings Putting Users At Risk

    CNN Money (September 24, 2007) On the Internet, Everybody Knows Your Dog’s Name In the Facebook era, it’s easier than ever for thieves to hack into your online accounts. One way to protect yourself: Secure security questions

  • [Avatar for Renee C. Quinn]
    Renee C. Quinn
    October 21, 2010 12:25 am


    Thank you for reading our blog and thank you for taking the time to comment. It amazes me just how unsecured most of these sites are. We need to be wary not just of ads, but or the sites as a whole. Do not put any information on your profile that you would not want others to find out about.


  • [Avatar for Renee C. Quinn]
    Renee C. Quinn
    October 21, 2010 12:24 am


    Thank you for your comment and thank you for reading our blog.. I too have been subjected to issues of my accounts being hacked. Most recently I got an email from a woman related to someone I went to high school with telling me “No thank you but I am married and I am not into women.” What? When I asked her what she was referring to she told me she had gotten an explicit email from ME. I asked her to forward t to me and I found I got the same email from 2 or three other people. I opted NOT to click on the link.


  • [Avatar for Promotional Products]
    Promotional Products
    October 20, 2010 11:35 pm

    Thanks for these thoughts and warnings. I’ve always been wary about these ads, and I’m glad you were able to take the time to expand on this topic.

  • [Avatar for Stan E. Delo]
    Stan E. Delo
    October 20, 2010 12:11 pm


    Thanks for letting us know of this, which I find very disturbing. It reminds me of the fairly recent scandel that Twitter went through, and all of the obvious phishing attempts that were sent my way apparently by someone trying to masquerade as them.


  • [Avatar for Gene Quinn]
    Gene Quinn
    October 20, 2010 11:24 am


    Perhaps you should do more research yourself. You provide no facts to support your conclusions yet you take a swing at Renee? Please!

    You obviously have an agenda and it is laughable that you pretend that this is a hit job. As if your conclusions and personal dislike for the WSJ is fact.

    I always find it amusing when those who know so little want to take a swing and they do so by questioning our research. That is code for I don’t like the facts and think you should have continued to look until you found facts that fit my desired narrative. People like you, who are afraid of the truth, just make up facts and conspiracy theories. Disgusting really.

    Obviously you want to excuse actions that are inexcusable.

  • [Avatar for Ryan Merket]
    Ryan Merket
    October 20, 2010 12:10 am

    Hey Renee, you said it yourself, this is “breach” is because of existing web technologies, the “referrer” and NOT facebook. This is obviously a hit peice from the WSJ (which is owned by the same company as Myspace) that you blindly sourced as fact. Please do a bit more research into Internet technologies before you write as if you know what you’re talking about. Thanks.