Sunday, February 26, 2012

Something Phishy is up at Playfish, and Why I Killed The Sims

I'm not real big on video games--as in, not at all. I only got on Facebook to begin with to interact daily with my precious daughter Jessica, so I also followed her into playing The Social Sims. Once in, I found I kinda liked it, so I indulged myself with a few minutes of play most days. But today, I had to block that application.

Why? Something phishy is going on at Playfish. What I mean is, as a Sims player, I had also "liked" their fan page here on FB, and through that, I had joined the Playfish Social Sims Forums, to receive tips, and particular links with free and bonus goodies for the game. The past two days, though, Playfish has been posting free stuff links ("Free Hammer") that are already expired. For this, I blocked them.

"Why?," You ask. Well, not only is it a complete waste of my time following dead links, but such a simplistic coding error two days in a row suggests to me a lack of competence behind the curtain, or possibly worse. It could mean some idiot at Playfish fancies themselves a hacker and is screwing around in a semi-unauthorized fashion under my Facebook OAuth credentials. At least, seeing this moronic babel, I am unwilling to trust Playfish with my FB login any longer.

Remember folks, any application or game that you run through Facebook essentially has access to your complete Facebook profile. FB is a neat platform for communications with people, but now as a security engineer, I think the OAuth capability to share access to my account with live applications is a major security hole that is bound to be abused. There's no possible way I can trust each and every unknown employee of every company that publishes an application to FB.

I have already had to block Angry Birds, when I caught it posting as me, when I hadn't played it in months. That stupid "21 Questions" application was actually posting as me to my friends' walls, AND I DID NOT EVEN HAVE THAT APPLICATION ENABLED! It went completely rogue one night, no doubt there was someone at the company using the app shell (with my very old, cached FB credentials) posting as me. Why, I have no idea, but I reported them to Facebook security, and I haven't seen it happen since.

So, now I've blocked The Social Sims, and every game-type app. I still have a couple of non-game tools I really like enabled, like the New York Times FB app, and that are from very well-known organizations.  And I'll be watching those really close, they BETTER behave!

No comments:

Post a Comment

I welcome your comments, please share.