Applications that need to contact you can already do so via your in box, application counters, and emailing you via Facebook’s email proxy. (A proxy which protects you from the malicious behaviour I’m about to describe…) There is just absolutely no reason that Mindjolt (no offense guys, you were the first that I saw this using and the rant below is not directed at you) needs to email me anything, ever…As a Facebook Application developer, I’m probably going to be drawn and quartered for this “outrageous” rant against the very thing that every self-proclaimed mass marketing firm wants from you. And with Facebook apps being allowed to ask – getting this golden nugget is just so easy.
With Facebook apps and this new “feature” of being able to ask for your email address directly I can do the following:
- Get your first and last name, along with other bits of personal information.
- Tie those things to your email address.
- Get a list of your friends.
- Send your friends email as you.
- Send email to you from your friends (providing they too have given up their email address)
- Create a completely fake, but oh-so-realistic realm of trust getting you and your friends to do things they wouldn’t normally do if the email came from “Joe’s Stupid Company”
- It also gives malicious applications your login name. One half of the mystery to actually logging in as you.
Sure, you can say “but there are good companies out there that won’t abuse this.” And you’re right. And I know for a fact there are many, many apps out there that would not abuse this. But I also know for a fact that there are many, many apps that are already trying to harvest as much of this information as possible.
This open can of worms allows for such extensive, high quality, personal, direct, and evil phishing scams to surface. And trust me, they will.
So, just say no when asked for your email address on Facebook.
Social engineering at it’s finest, right there.