In a new privacy scare, several blogs reported a sneaky new security hole on Facebook yesterday. It was discovered that when you visit certain sites while logged in to Facebook, an app for those sites will be quietly added to your Facebook profile. Facebook displays no dialogue box or notification window asking permission.
These apps are related to Facebook’s sharing tools and the sites leaving this trail all have Facebook Connect integration, and the list includes heavyweights such as the Gawker network of blogs, the Washington Post, TechCrunch, CNET, New York Magazine, and formspring.me.
These apps are not visible to friends on the user’s profile page but users are able to view friends who also have the app installed on the app’s profile page. In a way allowing users to see others somewhat vague browsing history provided the websites they visit have Facebook integration.
It is to be noted that opting out of the new ‘Instant Personalisation’ feature does not stop these apps from being added.
Facebook has responded that it was a bug and has been fixed.
There was a bug that was showing applications on a user’s Application Settings page that the user hadn’t authorized. No information was shared with those applications and the user’s list of applications was not shown to anyone but the user. This bug has been fixed.
Users are advised to visit the application dashboard and remove any applications that installed itself without permission.