PAY ATTENTION: Facebook showing users permissions granted to 3rd party apps

By: (plus.google.com) +David Herron; Date: April 18, 2018

Tags: Facebook » Social Media

Buried in the Facebook user settings area is a page showing the permissions that have been granted to 3rd party applications. Most of us click through the permissions granting process - we just want to get to that game or whatever, and it's like a click-through-license that nobody ever reads. But recent events in Facebook's ecosystem shows the extreme danger of information leakage, of personal identifying data, from being too liberal with permissions grants. It's extremely useful that Facebook is calling attention to the permissions grants.

The above image appeared in my Facebook feed this morning. I would have just ignored it, but I know that this is incredibly important, and I wanted to see what's up.

If you don't get that notification, go to -- https://www.facebook.com/settings?tab=applications

In the Expired tab you'll see more applications that you, at some time, approved, but you did not use the application in so long that the tokens have expired. The service is able to renew the tokens as needed. After reviewing your active applications, its worthwhile to also review the expired applications.

Final note is that removing the application, and closing the account, once is useful. It's even more useful to make a habit of renewing this section of your Facebook settings to screen the applications. It's so easy to go through the approval process that you can easily build up quite a few approved applications, and even re-approve an application you'd previously removed.

The second final note is that other services like Twitter or Google or Github also have a similar list of approved applications. You'll need to hunt around the service user interface to see the permissions you've granted on those other services.

The following screenshots are collected from my personal account, with a few details blurred out.

This shows some of the 3rd party applications where I've approved access to my account.

For each of these - I've clicked on a button to Login With Facebook or an equivalent. Clicking on the button caused an OAuth process to occur, where an approval was generated, and cryptographically signed authentication tokens were given to that 3rd party.

WHen the 3rd party wants to access my account - presumably to do some action on my behalf - it uses those tokens.

See: Facebook, OAuth authorization protocol, user responsibility, Facebook responsibility

This screen is a must-read because it describes just how much of your information was requested by the 3rd party application.

The Facebook API's give 3rd party app developers access to information. The access request is disclosed when you sign into the application using Facebook credentials. From a legal standpoint that means you've been notified of the information request. However, as I said, I believe most of us just click through that screen without paying attention.

In this case they requested full access to my friends list, my e-mail address, and my profile. That's a fair amount of data and I'm not entirely clear why they need that much data.

Access to the friends list can be used for viral marketing efforts - that the service might turn around and send invitations to all my friends, or offer to send postings to my friends. That's somewhat legitimate because I might well want my friends to receive things from this service.

However - the service is receiving friends lists for every every user of the service. That means the service could correlate the friends of all its users in order to create a map of connections. Is there a legitimate business purpose for that? No. But, it's informatioon a spy agency might want to collect in order to spy on us more effectively or to find known associates of known miscreants because those assoicates might also be miscreants.

What if you got a friend request from some random Facebook user - I get these all the time - and that person later turns out to cause some havoc. The FBI or someone might start scrutinizing the Facebook friends of that person to try and find associates. That means you'll come under Official Scrutiny just because you responded to a random friend request.

At the bottom of this screen is some important links. For some reason they're grey and hard to see. I've put a red box around them so be on the lookout.

In this case I wanted to remove a few apps. In each case it was a service where I signed up, thinking it might be a useful service, and then later deleted the account on the service website. Facebook, however, still had this as an active application even though I'd deleted the account.

Hurm. Somethings wrong with that.

Before removing the app here, it's worthwhile going to the 3rd party application website and attempting to delete the account on that service.

AFTER DOING THAT, you should come back here and remove the application. One affect of removing the application is that the tokens will be revoked. By itself revoking the tokens given to the 3rd party will revoke their access.

The reason to take the extra step to delete the account is -- if the 3rd party does the right thing with data retention, it will then delete all data it collected from you.

After agreeing to revoke the application, Facebook gives you this notification.

« SmugMug Buys Flickr -- leaving free account holders in the dark? Apple's monopolistic repair policies bite YouTuber who disassembled iMac Pro »
2016 Election Acer C720 Ad block AkashaCMS Amazon Amazon Kindle Amazon Web Services America Amiga and Jon Pertwee Android Anti-Fascism AntiVirus Software Apple Apple Hardware History Apple iPhone Apple iPhone Hardware April 1st Arduino ARM Compilation Artificial Intelligence Astronomy Astrophotography Asynchronous Programming Authoritarianism Automated Social Posting AWS DynamoDB AWS Lambda Ayo.JS Bells Law Big Brother Big Data Big Finish Big Science Bitcoin Mining Black Holes Blade Runner Blockchain Blogger Blogging Books Botnets Cassette Tapes Cellphones China China Manufacturing Christopher Eccleston Chrome Chrome Apps Chromebook Chromebox ChromeOS CIA CitiCards Citizen Journalism Civil Liberties Clinton Cluster Computing Command Line Tools Comment Systems Computer Accessories Computer Hardware Computer Repair Computers Conservatives Cross Compilation Crouton Cryptocurrency Curiosity Rover Currencies Cyber Security Cybermen Daleks Darth Vader Data backup Data Formats Data Storage Database Database Backup Databases David Tenant DDoS Botnet Department of Justice Detect Adblocker Developers Editors Digital Photography Diskless Booting Disqus DIY DIY Repair DNP3 Do it yourself Docker Docker MAMP Docker Swarm Doctor Who Doctor Who Paradox Doctor Who Review Drobo Drupal Drupal Themes DVD E-Books E-Readers Early Computers Election Hacks Electric Bicycles Electric Vehicles Electron Eliminating Jobs for Human Emdebian Encabulators Energy Efficiency Enterprise Node EPUB ESP8266 Ethical Curation Eurovision Event Driven Asynchronous Express Face Recognition Facebook Fake News Fedora VirtualBox Fifth Doctor File transfer without iTunes FireFly Flash Flickr Fraud Freedom of Speech Front-end Development Gallifrey git Github GitKraken Gitlab GMAIL Google Google Chrome Google Gnome Google+ Government Spying Great Britain Green Transportation Hate Speech Heat Loss Hibernate Hoax Science Home Automation HTTP Security HTTPS Human ID I2C Protocol Image Analysis Image Conversion Image Processing ImageMagick In-memory Computing InfluxDB Infrared Thermometers Insulation Internet Internet Advertising Internet Law Internet of Things Internet Policy Internet Privacy iOS Devices iPad iPhone iPhone hacking Iron Man iTunes Janet Fielding Java JavaFX JavaScript JavaScript Injection JDBC John Simms Journalism Joyent Kaspersky Labs Kindle Kindle Marketplace Large Hadron Collider Lets Encrypt LibreOffice Linux Linux Hints Linux Single Board Computers Logging Mac Mini Mac OS Mac OS X Machine Learning Machine Readable ID macOS MacOS X setup Make Money Online March For Our Lives MariaDB Mars Mass Violence Matt Lucas MEADS Anti-Missile Mercurial MERN Stack Michele Gomez Micro Apartments Microsoft Military AI Military Hardware Minification Minimized CSS Minimized HTML Minimized JavaScript Missy Mobile Applications Mobile Computers MODBUS Mondas Monetary System MongoDB Mongoose Monty Python MQTT Music Player Music Streaming MySQL NanoPi Nardole NASA Net Neutrality Network Attached Storage Node Web Development Node.js Node.js Database Node.js Performance Node.js Testing Node.JS Web Development Node.x North Korea npm NVIDIA NY Times Online advertising Online Community Online Fraud Online Journalism Online Photography Online Video Open Media Vault Open Source Open Source Governance Open Source Licenses Open Source Software OpenAPI OpenJDK OpenVPN Palmtop PDA Patrick Troughton Paywalls Personal Flight Peter Capaldi Peter Davison Phishing Photography PHP Plex Plex Media Server Political Protest Politics Postal Service Power Control President Trump Privacy Production use Public Violence Raspberry Pi Raspberry Pi 3 Raspberry Pi Zero ReactJS Recaptcha Recycling Refurbished Computers Remote Desktop Removable Storage Republicans Retro Computing Retro-Technology Reviews RFID Rich Internet Applications Right to Repair River Song Robotics Robots Rocket Ships RSS News Readers rsync Russia Russia Troll Factory Russian Hacking Rust SCADA Scheme Science Fiction SD Cards Search Engine Ranking Season 1 Season 10 Season 11 Security Security Cameras Server-side JavaScript Serverless Framework Servers Shell Scripts Silence Simsimi Skype SmugMug Social Media Social Media Warfare Social Network Management Social Networks Software Development Space Flight Space Ship Reuse Space Ships SpaceX Spear Phishing Spring Spring Boot Spy Satellites SQLite3 SSD Drives SSD upgrade SSH SSH Key SSL Stand For Truth Strange Parts Swagger Synchronizing Files Tegan Jovanka Telescopes Terrorism The Cybermen The Daleks The Master Time-Series Database Tom Baker Torchwood Total Information Awareness Trump Trump Administration Trump Campaign Twitter Ubuntu Udemy UDOO US Department of Defense Virtual Private Networks VirtualBox VLC VNC VOIP Vue.js Walmart Web Applications Web Developer Resources Web Development Web Development Tools Web Marketing Webpack Website Advertising Weeping Angels WhatsApp William Hartnell Window Insulation Windows Windows Alternatives Wordpress World Wide Web Yahoo YouTube YouTube Monetization