Facebook appears to have U-turned on plans to allow external websites to see users’ addresses and mobile phone numbers.
Security experts pointed out that such a system would be ripe for exploitation from rogue app developers.
The feature has been put on “temporary hold”, the social networking firm said in its developers blog.
It said it needed to find a more robust way to make sure users know what information they are handing over.
“Over the weekend, we got some useful feedback that we could make people more clearly aware of when they are granting access to this data. We agree, and are making changes to help ensure you only share this information when you intend to do so,” the firm said.
The updates would be launched “in the next few weeks”, it added and the feature will be suspended in the meanwhile.
Bad guys
Facebook’s volte-face is likely to be a case of ‘once bitten, twice shy’.
Last year, wide-ranging changes to privacy settings resulted in a loud chorus of disapproval from both users and privacy experts, including the Canadian privacy commissioner, Jenny Stoddart.
The firm was forced to radically simplify privacy settings. Ms Stoddart said at the time that the social network had “vastly improved” the sharing of personal information with third-party developers.
Facebook founder Mark Zuckerberg has made no secret of his desire to open up the relationship between the network’s 500 million members and the wider internet.
Having access to mobile phone numbers and physical addresses could have real benefits for users, the firm said in its blog.
“You could, for example, easily share your address and mobile phone with a shopping site to streamline the checkout process, or sign up for the up-to-the-minute alerts on special deals directly to your mobile phone.”
But Graham Cluley, a senior analyst at security firm Sophos, said it would also be very easy for rogue developers to jump on the bandwagon.
“You can imagine, for instance, that bad guys could set up a rogue app that collects mobile phone numbers and then uses that information for the purposes of SMS spamming or sells on the data to cold-calling companies,” he said.
Not required
Facebook has introduced a dashboard which allows users to decide what level of access to grant various apps they sign up for.
It also said that users would have to grant permission to any apps or sites that had wanted to access people’s home address or phone number.
But many people still click ‘accept’ far too quickly, said Mr Cluley.
“Facebook does alert users to the fact that this information will be shared with others, warning prompts and other pop-ups are so frequent that they are often ignored,” he said.
“The best solution would be to permit users to provide this data, via a dropdown or checkbox, when they choose to add an application, but it should not be required,” he added.