Facebook users had two security headaches to contend with this week.
Hackers took advantage of a security flaw to make it appear as if spam was being sent from users’ friends while other online malcontents fooled 90,000 users into installing a snooping third-party Chrome plug-in.
Yesterday Facebook admitted that hackers were able to "gain information scraped from Friend Lists due to a temporary misconfiguration" on their site. With that data, in what the social network described as "a single isolated campaign," the hackers were able to send spam messages to users that appeared to come from friends. As CNET pointed out, although the names on the messages were familiar, the email addresses were not.
Since then, Facebook says they've fixed the problem and will "continue to iterate on our defenses to find new ways to protect people."
But that's little more than cold comfort to the almost 100,000 other users who installed a bogus Chrome plug-in that tracks users' browsing data.
According to research scientist Jason Ding, who brought this issue to light on the Barracuda Labs blog, hackers took note of user pushback when Facebook unveiled their new timeline layout earlier this year. With plug-ins that promised to revert to the old layout, prying eyes soon found their way into the histories and habits of tens of thousands of Facebook users.
But that's not where it stopped. The scammers created Facebook events to further market their malicious plug-ins, used TinyURL and Tumblr pages to redirect users to installation sites and coded the plug-in so that once it was installed an automated message would be posted on the victim's page.
While there are legitimate plug-ins that do what the scammers advertised, Barracuda Labs found that they only requested permission to access facebook.com. The offending plug-ins request permission to access data on all websites and access to the browsing history.
Security experts at Barracuda advise Facebook users not to use any "Remove Facebook Timeline" plug-ins. Regardless of whether they're malicious or not, giving up your Facebook access to a third party is not a decision to be made lightly.