Facebook Blog, Applications and Developers Directory

As many users are aware, Facebook has been fighting mounting security threats in recent weeks. Developers and analysts alike want to know more about what’s happening and what Facebook is doing to contain the threats, so here’s the story:

The Problems

1. A variant of the Koobface worm, originally detected by Kapersky Lab a few weeks ago, has been increasingly spreading on Facebook in recent weeks. Here’s how it works:

Net-Worm.Win32.Koobface.b, which targets Facebook users, creates spam messages and sends them to the infected users’ friends via the Facebook site. The messages and comments include texts such as Paris Hilton Tosses Dwarf On The Street; Examiners Caught Downloading Grades From The Internet; Hello; You must see it!!! LOL. My friend catched you on hidden cam; Is it really celebrity? Funny Moments and many others.

Messages and comments on MySpace and Facebook include links to http://youtube.[skip].pl. If the user clicks on this link, s/he is redirected to http://youtube.[skip].ru, a site which purportedly contains a video clip. If the user tries to watch it, a message appears saying that s/he needs the latest version of Flash Player in order to watch the clip. However, instead of the latest version of Flash Player, a file called codecsetup.exe is downloaded to the victim machine; this file is also a network worm. The result is that users who have come to the site via Facebook will have the MySpace worm downloaded to their machines, and vice versa.

2. In addition, recent chain letters have started to spread across Facebook with various types of misinformation, including messages like “Facebook is going to start charging you to use the site,” “Facebook is going to start shutting down accounts that aren’t active enough,” etc.

Facebook’s Response

Facebook has responded in a number of ways:

1. Facebook is deleting content generated by the worm (Facebook says they have “again contained” it) and spammy chain letters.

2. Facebook is posting updates on the status of security issues to the Facebook Security Page and publishing best practices for users to avoid phishing attacks, like these and these.

3. Facebook is asking users to pass on the following information:

We will never use any of the following methods to tell you information, or ask for you to take an action:

* Your Wall
* An inbox message from a friend—in other words, chain letters.
* Messages spread through Applications—if an application is telling you that Facebook is about to shut down, report it.

Since there’s been a lot of wrong information about Facebook spreading around, we’d like to clarify a few things for the record:

* We are not shutting down accounts that are not “active” enough.
* We are not going to start charging you to use Facebook.
* We will never ask you to send us your password or login information.
* We will never put the responsibility on YOU to send information to your friends. If we have information we need to share, it’s our job to get the word out.
* When we do communicate to you about the site (with the exception of posts made on this blog) it will always be from a collective Facebook. You won’t hear from me, personally, or from Mark, or from Dustin, or from any of the Facebook bloggers you’ve seen here.

So the next time you see a chain letter, chain wall post, or chain anything, report it to our User Operations team, and tell all your friends to ignore it. We could make a joke here about passing this entry on to ten of your friends, but that’s not cool.

4. Facebook is blocking Wall posts that contain links to known phishing sites:

5. Facebook is improving its automated systems to automatically detect abuse on the site more quickly.

6. Facebook is pursuing many of the perpetrators (the company sued alleged Facebook account hijacker Adam Guerbuez last week).

Conclusion

What do Facebook’s recent security issues mean in the long run? Ultimately, it’s vital for everyone involved in the Facebook ecosystem that Facebook continue to invest in security detection and prevention. Everything in Facebook depends on user trust, and everyone wants these issues to be have as little impact as possible.

A few weeks ago, it was reported that Facebook had filed suit against German social network StudiVZ, accusing the company of “replacing Facebook’s blue colour scheme with a red one” and said it was “seeking to end StudiVZ’s illegal activity to ensure that users are not confused and that Facebook’s reputation remains unharmed.”

Today, Kevin O’Brien at IHT reports that before Facebook sued StudiVZ, the companies had been in negotiations “for months” for Facebook to buy StudiVZ. However, StudiVZ’s owner, the Holtzbrinck Gruppe, is asking for “several times” the reported $134 million it paid for the site last year.

“Facebook may have the superior technology, but it doesn’t have the users in Germany,” said this executive [close to the deal], who insisted on anonymity because the talks were confidential. “That is what Facebook wants with StudiVZ.”

Due to pending legal action, both companies refused to comment.

In the past month, many major application developers have been on the receiving end of policy enforcement measures handed down by Facebook. Here’s an update the current status of each application, including a look at the traffic repercussions of the measures taken.

Top Friends (Slide)

On June 26th, Top Friends was the first major app to disappear completely from the Facebook platform. The application was allegedly punished for violating the TOS by allowing access to non-friends’ personal information.

On July 5th, Top Friends resurfaced on the platform. Before the punishment, Top Friends users could use their profile box as a means to quickly access their friends’ profiles that they visited often. To bring the application in compliance with the TOS, this functionality was eliminated - now, clicking a “top friend” directs to that user’s Top Friends profile within the application.

Despite this loss of functionality and the long outage, Top Friends traffic has rebounded impressively.

Social Me and Compare Hotness (SocialHi.com)

July 1st, Social Me, a top 25 Facebook app, also disappeared from the platform. Compare Hotness, another SocialHi app, was also temporarily disabled.

An outpouring of support was seen for the Social Me app, even in the comments on this blog. On July 15th Social Me made its triumphant return to the platform, only to disappear again temporarily.

The app has now been available since the 16th, but has yet to recover its pre-July traffic levels.

Super Wall (RockYou!)

On July 6th, Super Wall’s traffic decreased rapidly. RockYou’s CTO and co-founder Jia Shen confirmed in an email that the app’s viral channels had been turned off for what he considered “slightly debatable” policy reasons.

Yesterday, Nick O’Neill interviewed Shen, who confirmed that Super Wall’s access to viral channels was back. It remains to be seen whether or not Super Wall can return to its position as the largest Facebook application.

Adult website operator SlickCash, sued by Facebook for attempting to hack Facebook’s servers and steal user information in 2007, has settled the suit with Facebook for $500,000, according to the Canadian Press. As part of the deal, SlickCash employees have agreed not to become members of Facebook for the next 10 years.

Facebook accused SlickCash of hitting the Facebook servers with hundreds of thousands of requests in a coordinated attempt to obtain the contact information of its millions users. While we do not know exactly how much Facebook user information SlickCash was able to obtain, the company has also agreed not to contact any Facebook users whose contact info it obtained as part of the settlement.

The case underscores the role users are trusting Facebook to play in protecting their privacy. Facebook contains much more personally identifiable information than any other web site (and possibly government intelligence agency) for many of its 80 million active users.

The July Facebook Developer Garage in London is taking place this Wednesday evening.

For those that have never been, Facebook Developer Garages are attended by developers, clients wishing to develop applications, and new media agencies. There are usually relevant presentations and plenty of networking opportunities.

Here are the event details for Wednesday night:

* When: Wed, July 9, 6:30pm - 9:30pm
* Where: Sun Microsystems, 45, King William Street, London

The running list currently looks like this:

* Ashley Ward CEO of European Leadership Forum gives advice for raising money for your Facebook app
* Brad Rees and Jon Hill from Mediacells explore the future of mobile advertising on Facebook apps
* Matthew ‘Chewy’ Trewhella from Google enlightens us a bit on OpenSocial 0.8
* Mat Clayton, CEO of Wakari and developer of Become Rambo, tells us about his new cross platform app for the upcoming film Hancock
* Joshua March from iNetwork is back with part two of Tweaking your App
* Exciting news on a Formula One Application

More info can be found on the Facebook events page. It should be a great evening!

Hasbro and EA announced today that the two companies will soon launch an official version of Scrabble on Facebook. Interestingly, their press release makes no mention of Scrabulous, although it does mention “the current interest in Scrabble for social networking”.

So will the creators of Scrabulous (the Agarwalla brothers) be quaking in their boots that everyone will migrate away to the official game? Probably not. For one, there is already an official version of Scrabble on Facebook for users outside North America (licensed by Mattel, the owners of Scrabble outside of the US and Canada, and produced by RealNetworks). It currently has less than 6,000 daily active users, compared to Scrabulous with just over 450,000. This version has been out since late March and has shown little growth since then.

Now there will be two official versions of Scrabble on Facebook, with Hasbro owning the rights in North America, and Mattel in the rest of the world. Try to play a game of the new EA Scrabble in the US with someone in the UK (e.g. me) and you won’t be able. Somehow, I just can’t see how making the game “official” is going to take traffic away from the well-established Scrabulous.

This is one of the clearest examples of how older, bigger companies are struggling to meet the needs of social media. Scrabble’s geographical licensing issues currently seem to be hurting the companies involved more than the consumers. The length of time it has taken EA to develop the official Scrabble shows that older companies are not set up to operate as quickly as independent Facebook application and game developers. And as Jeremiah Owyang has previously written, brands are often risk-averse and too slow-moving to capitalize on the current social media opportunity.

We’ll see if the launch of the official versions of Scrabble cause Scrabulous’s earlier legal issues to re-emerge. If EA’s version flounders as RealNetworks’ has, it would not be too surprising if one day we were to log on to Scrabulous and be redirected to one of the official, geographically hobbled versions of one of our favourite board games.