If your my friend on Facebook then today you might have a message like this purporting to be from me:
In reality I did not send any messages on Facebook like this today in fact when that message was sent I was enjoying some good local Mexican Food which was abruptly interrupted by friends concerned my Facebook account had been hijacked. The minute I got home I set out to check my recent message history and saw no messages of the nature that my friends explained were sent.
I then checked recent login locations on my Facebook Account and various other accounts to confirm that they were in fact not compromised. After determining my accounts were likely not compromised I conduct password changes across the board using LastPass’s secure password generator for good measure.
But what could have sent these messages? Well considering I use Linux and my accounts were intact clearly the culprit was a Facebook App that went rogue or had itself been compromised. I then set out to quickly (or maybe not so quickly) revoke access to all of my Facebook Apps at once but got this:
Oh no whats this I can’t disable all my Facebook Apps at once? You mean I have to revoke 459 Facebook Apps by hand? Yes indeed I did have to revoke 459 apps which required an actual 918 clicks if you include confirming removal of each app.
The moral of this blog post is do not allow access to Facebooks Apps for third party sites if they offer a standalone account system because giving third party sites access to your account can have a consequence of 918 clicks and some offended friends. Going forward I will be much more conservative of any app permissions I grant and will ensure regular auditing of the apps I do grant permission to.
I encourage others to also check out LastPass and Yubikey both of which I have been using for about 18 months now and have kept my account passwords strong and secure.