2.11.08

"Your Perfect Man Quiz"--a possible exploit of a security hole in Facebook?

I recently started to recieve a ton of invites to the "Your Perfect Man Quiz" on Facebook.  This application apparently invites all your friends to take the quiz when you activate it.  (I took it because I assumed that it was actually thoughtfully sent to me...FWIW, I'm apparently looking for a guy who is rich and mysterious =])

But here's the thing.  Twice it asks you if you want to invite friends.  I skipped the invites BOTH TIMES.  So it invited everyone without my permission.  I didn't think apps could do that. 

So, Facebook, tell me.  Is this a flaw in your app framework?  I suppose it's a query to get the friend list, then a command to invite each person in that list...simple, once you have access.  So maybe it's not a hole, but a misuse of the system.  But apps shouldn''t do this, because it makes the invite system meaningless; invites become spam. 

Here's my solution:  Only allow apps to invite people using Facebook's Select Friends dialog.  Don't allow apps to randomly invite whosoever they choose; just allow them to show a list of friends and have the user pick who they'll acutally invite.  Maybe a little limiting, but that will kill spam fast.

There's my 2 cents.

1 comment:

Jiraa said...

completely agree!! It is bullshit going on