An academic study used unique "honeytoken" emails to register for a Facebok account, install Facebook third-party apps, and then waited to see which inoxes received emails from unrecognized senders.— Catalin Cimpanu (@campuscodi) July 2, 2020
Fun fact: emails used with 3 apps received sextortion and Viagra spam. Go figure pic.twitter.com/jhyxAlaeTu
A team of academics this week has described a method that can help identify when developers of Facebook apps suddenly share user data with third parties.
Named CanaryTrap, the technique was detailed in a whitepaper published Monday by academics from the University of Iowa entitled "CanaryTrap: Detecting Data Misuse by Third-Party Apps on Online Social Networks."
CanaryTrap revolves, at its heart, around a honeytoken concept. Honeytokens, in the broadest sense of the term, represent fake data, tokens, or files that IT experts plant across their network. Administrators can detect malicious activity when accessing or utilizing the data.
Honeytokens were unique email addresses which academics used to register Facebook accounts as part of the CanaryTrap whitepaper. Researchers installed a Facebook app after registering an account for the CanaryTrap research, used it for 15 minutes and uninstalled the app from the account afterwards.
Researchers then watched for new traffic in the honeytoken email inbox. If new emails were received in the inbox, then it was clear that the app shared the user data with a third party.
In addition , the research team also said it was using the Facebook ad transparency tool 'Why am I seeing this? 'To monitor whether an advertiser has used any honeytoken email to target Facebook ad users. The academic team said they tested 1,024 Facebook apps using their CanaryToken technique and identified 16 apps that shared third-party email addresses and led users to receive emails from unknown senders.
Only nine of the 16 apps revealed they had a relationship with the email sender. This relationship was usually with an unrelated affiliate website or business partner, but even if data sharing agreements were revealed by the apps, inboxes usually received emails that were not relevant to the application.
Nonetheless, seven apps did not reveal that outsiders shared user data. Of these seven, the research team said they were unable to determine whether the app developers shared user data with a third party on purpose and without the user's permission, or whether the user data was leaked online as part of a security incident, such as an exposed server or an intrusion by a hacker.
Nevertheless, as a result, some bad email traffic happened, researchers said, revealing that the email inboxes received emails with sextortion threats, spam and other email scams in the case of honeytokens shared by three apps.
The latest change in Facebook's fight against app developers abuse took place on Wednesday, when Facebook announced its latest suite of updates to its Platform Terms and Developer Policy, which is set to come into effect on August 31, 2020.
The company said the new terms limit information developers can share with third parties without users' explicit consent, and also make sure developers understand clearly that they have a responsibility to safeguard user data if they tap into the platform and user base of Facebook to build their own business. Theoretically, those new changes address the CanaryTrap team's reported loopholes.