Security firm Trustlook has found at least 25,936 malicious apps using one of Facebook’s APIs, such as a login API or messaging API. Such malicious apps could then use and abuse a range of Facebook login profiles, such as name, location and email address, according to recent blog post.
Trustlook uses a formula to calculate the risk score of apps based on 80 different criteria (such as permissions, libraries, risky API calls and network activity).
Malicious apps have also been known to embed APIs from other companies, to include Twitter, LinkedIn, and Google. The challenge is the API passes through intelligence from the user’s profile, that could then be abused by malicious apps. Flawed APIs could then potentially expose data about you (or the target) and other associated people.
Threatpost received additional feedback on the API abuse from other security experts who expanded on privacy, policy and regulatory implications this issue raises.