Many organizations are encouraging their employees to be part of Facebook. One company I have dealings with, recently encountered PicDoodle entries appearing on Facebook claiming to be posted by their employees. The problem is, these employees were unaware that they made these postings.
What happens is that an email message is initially sent:
Bugs Bunny tagged a photo of you in the album “PicDoodle Photos”.
To see the photo, follow the link below:
http://www.facebook.com/n/?photo.php&pid=etc.
Thanks,
The Facebook Team
If Bugs follows the link, he will get the message:
‘check my cool doodle’ – watch me draw this PicDoodle here –> http://apps.facebook.com/picdoodle/view?drawing_id=rest deleted
In this photo: a list of bugs friends, including you
To protect the privacy of Bug’s friends, I have replaced their names with “a list of bugs friends, including you.” At this point, Bugs was asked to share his information. When he did, the PicDoodle application sent the above email to his Facebook friends and posted to their sites a messages similar to:
 |
|
||||
 |
|
Bugs was not asked to send the emails nor make the posts. Talking to one person who shared their information, they reported:
Yes, I’d been seeing it to with others names. So, I finally gave in and let it see my info…. I knew better, but curiosity got the better of me
Douglas Bordner in his post, “Facebook Account Mining/Phishing expedition” provided this description of the PicDoodle application:
The application allows a person to draw or doodle over jpeg images in one’s albums…After allowing said access, so that I could view someone else’s post, one of my photos was doodled with three exclamation marks in the upper left corner, was posted with this supposed quote “I love this sweet pic” under my by-line, and a new album with this image was created under my account. Then all my friends were sent a notification that they had been tagged in the photo. In point of fact I never doodled the image, created the album nor did I tag anyone. The picture was of myself and one other person.
Even when PicDoodle is not “misbehaving” and creating empty pictures, one has to question the access and actions. Below are a few postings that provide additional insight and help with Facebook security:
- PicDoodle virus shows Facebook’s true colors.
- Facebook: Spammy PicDoodle App Not A Virus, Getting Fixed.
- Facebook best practice: Sophos recommended privacy settings for Facebook.
- Facebook’s Facebook Security area.
- Privacy Controls in Facebook Pt. 1 and Pt. 2 by Elizabeth Kricfalusi.
- A guide to Facebook security settings by Matthew Tommasi.
Virus or a misbehaving program, be aware of the consequences of sharing your information. After his experience, Douglas decided that he would “not be playing with any of the Facebook toys that require access to my account info, friend lists or contact information in order to work.” Sounds like a wise decision, especially for those trying to use Facebook for business purposes.
