Naked Security readers have asked us once again to warn of a rapidly-spreading photo-tagging scam on Facebook, this time with the grammatically curious title This Girls Must Be Watch Out Of Her mind After Making This Video.
Here's one wise Facebook user's advice:
We first wrote about this sort of scam back in April. Just look at the Request for Permission dialog from a typical rogue application:
Let's look at those permissions:
* Access my basic information. That seems OK, since you're agreeing to share information which you've shared already.
* Post to my Wall. This lets an application act as if it were you. Think about this: it can post anything, about anyone, linking to anywhere, in your name. You are giving the application the right to offer statements and opinions on your behalf, without asking you. That's an awful lot of power.
* Access my data any time. Combined with the previous permission - to speak on your behalf - this is very close to giving the application a power of attorney over your Facebook account. Do you ever really want to do that?
* Access my photos and videos. This effectively removes any privacy controls you enjoy over images of your personal life.
And a new way of abusing the abovementioned power of attorney is open to rogue Facebook applications: deliberately tagging you in images in which you don't appear.
In this latest scam, which borrows a long-running prurient Facebook meme about "Girl must be out of her mind," you appear to be tagged in a pornographic, or at least semi-pornographic, movie, which is then recommended to your friends.
Of course, this raises two questions about Facebook's facial recognition. Firstly, now it's universally enabled, why does it allow you to be tagged in photos in which you obviously don't appear? (The April scam I linked to above tagged you in photos of food which contained nothing even vaguely resembling a human face.)
Secondly, is it really acceptable to allow tagging without the permission of the taggee? Back in March, we wrote about a judgment in the Kentucky courts which decided that the law does not require the taggee to be asked. But is that a good enough standard for Facebook to follow?
Facebook will notify you when a friend tags you, but I'd love to see that changed to a stricter default. You should be notified and be asked to approve the tag before it is accepted by the system.
Lastly - and this shouldn't really need saying, but I shall say it anyway- DON'T APPROVE FACEBOOK APPS, TAKE SURVEYS, OR PROACTIVELY LIKE ANYTHING in return for access to a video.
If you really must see for yourself whether This Girls Must Be Watch Out Of Her mind After Making This Video, why don't you just search for it on YouTube, thus sidestepping the Facebook scammers entirely?
Or learn a touch of restraint, because it goes a long way towards improving your security online. In short, THINK BEFORE YOU CLICK.
Keep abreast of the latest Facebook security threats by joining the 100,000 strong community up on the Sophos Facebook page.
PS. My apologies for SHOUTING above. But we ought to know better by now!