The Facebook Friend Suggestions security scare

Filed Under: Facebook, Malware, Social networks

Updated Warnings are being posted all across Facebook suggesting that users who have received multiple friend suggestions are really infected with a computer virus.

A typical version of the warning reads as follows:

VIRUS WARNING: ANYONE WHO HAS GOTTEN A TON OF FRIEND SUGGESTIONS BE CAREFUL! IT IS A VIRUS! IF YOU ACCEPT THEM THEN YOUR ACCOUNT WILL SEND OUT ABOUT 85 TO SOMEONE ELSE!!! WARN YOUR FRIENDS NOW! This is a new virus that is sending requests to spread. DO NOT ACCEPT FRIEND SUGGESTIONS AT THE MOMENT!

Facebook friend suggestions security scare

The reality, however, is somewhat different. Most importantly, the behaviour and sightings of more than the usual number of Friend Suggestions are not a sign of a computer virus infection.

Instead, it appears that Friend Suggestions on Facebook now go to both parties, rather than just the one you specifically suggests takes up your suggestion of a new online connection.

So, imagine you are Tom, and you think that your friend Dick should become Facebook friends with Harry. You visit Dick's Facebook profile, scroll down to where it says "Suggest friends for Dick" and choose Harry's name.

Your suggestion that Dick should become friends with Harry doesn't just go to Dick, but it will also now go to Harry as well. Presumably Facebook has made this change in order to encourage more users to interconnect.

But there's more.

As Facebook reveals on its help pages about Friend Suggestions, Facebook can also suggest possible friends for you to connect with.

It does this by automatically examining "the networks that you are a part of, mutual friends, work and education information, contacts imported using the Friend Finder, and many other factors."

Aside from the mysteriously ambiguous "many other factors", the thing I find concerning there is the reference to Friend Finder.

What Facebook means is that they can suggest friends based upon email addresses that you may have imported into Facebook from your email account address book, perhaps when you first set up your account.

Facebook Friend Finder

What many people may not realise is that even if you didn't add everyone you imported from your address book as a Facebook friend, Facebook can still use those contacts imported from Outlook, Gmail, Hotmail, Yahoo, etc, in order to make future recommendations.

Therefore, Facebook may also see your email address in other people's contact lists, and determine relationships based upon that.

If this bothers you (and I can perfectly understand why it would), then Facebook says you can tell it to remove the contacts from its suggestions system. Of course, it might have been better if you hadn't offered up your address book to Facebook in the first place..

Facebook also says that you can change your privacy settings to prevent your profile from being visible to everyone as a potential friend suggestion.

More information about Facebook's Friend Suggestions system can be read online here.

Update Some Clu-blog readers have been in touch with me, saying that although they agree that claims of a virus being spread via the friend suggestions are unlikely, they don't believe I have completely explained what is occurring.

Eero sums it up well in an email he sent me:

As you know, there are two distinct types of friend suggestions you can receive, one is where you get a personal message that your friend Bob suggests Carl as your friend, and the other is where you just see people Facebook thinks you might know based on common friends.

People are not getting these mixed up. I first saw this problem in action by getting a private message from Facebook that my friend "Bob" has accepted my other friend "Carl" as his friend based on friend suggestion made *by me*, when I've never made any friend suggestions in Facebook. Then I also noticed I also had received strange friend suggestions saying "This friend was suggested by 'Alice'", and 'Alice' promptly confirmed that she'd not suggested me to anyone or anyone to me.

Sure enough, some postings on Facebook confirm this (thanks to Clu-blog reader Pat for pointing me towards these):

Facebook friend suggestion mystery

In other words, even if these contacts are being scooped automatically by Facebook from data it grabbed in the past from users' address books (via Friend Finder) it seems very strange that Facebook is claiming that a particular user has instigated the introduction, rather than Facebook coming up with the suggestion itself.

As such, it's still a mystery as to how this has occurred. Could it be that Facebook got its knickers in a twist with its database, a rogue application, or that a bug was present that caused these messages to be sent?

It's hard to know for sure, as Facebook seems to be keeping schtum.

No doubt most of the souls forwarding and reposting this latest Facebook security scare to their profiles are oblivious to all these fine details, however, and are still believing that a virus is behind the suggestion messages that they are viewing.

Of course, it should still go without saying, that whether you receive a friend request or a friend suggestion, you should exercise caution about who you befriend on a social network - as it could be a cybercriminal rather than a long lost chum who is trying to access your profile.

Oh, and don't forget. If you're on Facebook you might want to become a Fan of Sophos on Facebook to ensure you are kept up-to-date with the latest security news.

, , , ,

You might like

About the author

Graham Cluley is an award-winning security blogger, and veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.