14 DAY TRIAL // Security researchers fear that Facebook's decision to give applications access to people's contact information could invite abuse from spammers and unscrupulous developers.
Facebook announced Saturday on the developer blog that two new permissions called user_address and user_mobile_phone have been created.
As their name suggest, these can be used by applications to access the home addresses and mobile phone numbers of users, if defined in their accounts.
But, while these permissions require explicit consent from users, security experts are not convinced this sensitive information is protected enough.
"I realise that Facebook users will only have their personal information accessed if they 'allow' the app to do so, but there are just too many attacks happening on a daily basis which trick users into doing precisely this," says Graham Cluley, senior technology consultant at Sophos.
Mr. Cluley is referring to the flurry of survey scams that trick users into installing rogue apps and then abuse the permissions to post spam messages on their walls.
These attacks have repeatedly demonstrated that hundreds of thousands of users are still vulnerable to social engineering and don't pay much attention to what the app installation dialogs say.
"You can imagine, for instance, that bad guys could set up a rogue app that collects mobile phone numbers and then uses that information for the purposes of SMS spamming or sells on the data to cold-calling companies," the security expert notes.
Facebook developers have been caught selling unique user identifiers (UIDs) to advertisers in the past. Since phone numbers and addresses are certainly worth more, the temptation will be even greater.
While people are not required to post their home addresses on Facebook, when it comes to mobile phone numbers, things are a bit more complicated.
Last October Facebook rolled out a security feature known as one-time passwords (OTP), which require a mobile phone number to be associated with the account.