Facebook Apps Allowing Access to Numbers, Addresses

Facebook recently announced that it is making user phone numbers and addresses available to developers, a move that a security expert said "could herald a new level of danger" for Facebook members.

Facebook isn't just releasing this information into the wild; it's adding it to the company's "User Graph object," or the permissions required to install an app.

"Because this is sensitive information, we have created the new user_address and user_mobile_phone permissions," Facebook wrote in a blog post. "These permissions must be explicitly granted to your application by the user via our standard permissions dialogs."

Facebook said the permissions only provide access to a user's address and mobile phone number, not their friend's addresses or mobile phone numbers.

Before installation, Facebook apps currently display a permissions-based menu that informs users what type of information the app is accessing. Going forward, users will be informed when the app accesses their phone numbers or addresses.

Sophos's Graham Cluley, however, said that even though the information will only be accessible when a user gives permission, "there are just too many attacks happening on a daily basis which trick users into doing precisely this."

"Facebook is already plagued by rogue applications that post spam links to users' walls, and point users to survey scams that earn them commission - and even sometimes trick users into handing over their cellphone numbers to sign them up for a premium rate service," Cluley wrote in a blog post.

Cluley suggested that scammers could set up a rogue app that collects mobile phone numbers and then uses that information to send SMS spam or sell the data to cold-calling companies.

Cluley wrote that only Facebook-approved app developers should be able to request this information or that app developers ask for the data rather than automatically grabbing it. In the meantime, he wrote, users should delete their phone numbers and addresses from their profile information.

Last year, there were reports that Facebook user IDs were being sent to third parties. Facebook initially proposed encryption as a possible workaround, but later opted to embed a user ID in a HTTP POST body, which means it will not be exposed in any HTTP referrer header at all; encrypted or not.

UPDATE: Facebook later reversed course and temporarily disabled the feature so it can make changes "to help ensure you only share this information when you intend to do so."

About Our Expert

Chloe Albanesius

Executive Editor, News

My Experience

I started out covering tech policy in DC for The National Journal, where my beat included state-level tech news and all the congressional hearings and FCC meetings I could handle. I later covered Wall Street trading tech before switching gears to consumer tech. I now lead PCMag's news coverage.

My Areas of Expertise

Getting my start in DC means I still have a soft spot for tech policy; Congressional hearings can sometimes be as entertaining as a Bravo reality show, for better or worse. But PCMag is all about the technology we use every day, as well as keeping an eye out for the trends that will shape the industry in the years ahead (or flop on arrival). I've covered the rise of social media, the iOS vs. Android wars, the cord-cutting revolution that's now left us with hefty streaming bills, and the effort to stuff artificial intelligence into every product you could imagine. This job has taken me to CES in Vegas (one too many times), IFA in Berlin, and MWC in Barcelona. I also drove a Tesla 1,000 miles out west as part of our Best Mobile Networks project. Of late, my focus is on our hard-working team of reporters at PCMag, guiding and editing their robust coverage.

Read the latest from Chloe Albanesius

Read full bio