Niall Kennedy/Flickr Facebook CEO Mark Zuckerberg shows off his profile page using Facebook Timeline.
Not all of Facebook’s 900 million global users are pleased with the mega-site’s slow lurch toward what it calls Timeline, a new profile format that displays photos, updates, wall messages and more based on when the material was posted over the lifetime of the user.
Internet security experts say the complaints have created an opportunity for hackers – special apps or browser plugins that promise to turn off the Timeline feature while also possibly misusing your sensitive personal information, such as details about where else you’ve been on the Web.
Researchers at Campbell-based Barracuda Networks looked at six such plugins available through the Google Chrome Web store that offer to remove Timeline. Plugins are downloaded and added to your Web browser – Internet Explorer, Safari, Firefox and Chrome – and can be used for everything from blocking pop-up ads to translating pages from a different language.
Three of the plugins request permission to access your Facebook page, which is necessary to block Timeline in the first place. The other three, however, claim to block Timeline, but they also request permission to access data from your activity elsewhere on the Web, even if you’re not logged into Facebook, said Jason Ding, a research scientist at Barracuda. They can do so because the plugin is attached to your browser, which you use to crisscross the Internet, not just check your Facebook page.
Internet users are notorious for clicking through permission requests without reading the fine print, and the desire of Facebook’s customers to dodge the implementation of Timeline means they could be trading convenience for cyber-victimhood.
“In this case, if you browse other websites – for example, when you purchase something – they can track your browser’s history and send it back to a server to know what you’re doing,” Ding said. “So if you fill out a form, or purchase something and put in your credit card information, they can access this information and send it back to the server.”
It’s suspicious for such plugins to access information unrelated to what’s being promised – removing Timeline. Internet users, Ding said, have to ask themselves what personal information is sensible for a plugin, add-on or smartphone app to retrieve in order to carry out the task offered.
“Anytime you have a single concern, just don’t click it or don’t install it,” Ding said. "... They should only access your Facebook data, not other websites.”
Ding also argues that Google should do more to monitor products in the Chrome store and keep out those that seem to be asking for too much information.
“They don’t have a very good mechanism to verify all these plugins, to check for malicious plugins or identify bad plugins,” Ding said. “So I think there’s more Google needs to do to protect Chrome users.”
Google spokeswoman Veronica Navarrete said in an email that the “bad” plugins have since been removed as a result of Barracuda’s analysis, and she added that apps and extensions “can potentially access all browsing data.” The company says that apps and extensions go through security checks and reviews, but the Chrome store also relies on researchers like Barracuda to flag suspicious items.
“You should review the permission messages and user reviews carefully when you install a Chrome app or extension and decide whether you trust the author with those privileges,” Navarrete wrote. “ … If an extension says it will improve a specific site, but it wants permission to every site, you should be suspicious and avoid it.”