New security fears for Facebook users

Although there is no evidence that people's personal details were stolen by the cybercriminals, experts fear that could be the next step.

The problem lies in the fact Facebook allows people to create software to run on the site but those applications do not need to be approved first.

Rik Ferguson, senior security adviser at Trend Micro, said: "I think that it is time Facebook had a review of its application vetting policy.

"It launched a service in November last year where people can pay to get their applications approved, but it is voluntary."

According to Mr Ferguson, the rogue applications which were active last week - Error Check System, Facebook Closing Down, Bigger Than MySpace and Closing Down - sent messages to users' profiles saying, for example, that a friend had reported a violation or had a problem contacting them.

Once the user clicked on the message or link, it was forwarded to everyone in their address book.

It also gave hackers the opportunity to steal personal information contained in the profile, Mr Ferguson warned.

The programs appeared to be test runs, with the next stage potentially proving more dangerous.

Mr Ferguson said: "It looks like this is a proof of concept. They did not appear to do anything malicious other than spread themselves extremely fast and well.

"Now they have worked out how to do it, we would expect to see more and more malicious applications."

On Saturday, a variant of the Koobface virus that first appeared on social networking sites last December, added to Facebook's problems, Mr Ferguson said.

By getting users to visit a fake YouTube page, hi-tech criminals then install malicious software on to the computer.

Mr Ferguson advised people to be careful about the information they made available on Facebook.

Profiles should be set to private and not contain any details beyond what is absolutely necessary.

"Be very careful and do not click on any strange notifications," he said.

"If you receive a notification that looks suspicious do not open it."

A spokesman for Facebook claimed a review of its application vetting processes in the wake of security breaches would be like introducing "martial law" after two robberies.

He said: "We've tried to make the process of building on the Facebook Platform relatively easy in order to stimulate innovation - and to allow the kid in a college dorm room to compete against the big corporation.

"We've also built security into platform by preventing any application from accessing sensitive information like contact info.

"The vast majority of Facebook applications create unique and significant value for our users and do not seek to do anything nefarious with the limited information they can access when users authorise them.

"That said, we have a dedicated Developer Operations team that's responsible for investigating applications that show anomalous activity, or that are reported to us by our users.

"This team contacts developers to enforce our policies, either by placing restrictions on the application or by disabling it entirely.

"In this case, we responded quickly to user reports and disabled the application before too many people were affected.

"Other instances of developers abusing the system are rare.

"Finally, our developer community has more than 660,000 developers, which is about the population of Glasgow.

"The drastic measures others have suggested is akin to saying, 'there have been two robberies, we need to implement martial law in the city'."

Simon McCready, a partner in Deloitte's media team, said: "We have felt for a long time that the personal information shared on social networking sites gives rise to an increased risk of identity theft, particularly as many users will not consider security as a priority on such sites as they would do on online banking sites for example.

"The culture is therefore one of sharing rather than protecting, and thieves will inevitably take advantage of that.

"Possibly the most important action for social network sites is to educate users in online privacy, in a clear manner that neither trivialises nor exaggerates the way in which data is used."