How Facebook Applications Can Download All the Messages in Your Inbox

Via Fobes.com (The Not-So Private Parts) -

When Facebook rolled out its new Messages feature earlier this month — combining emails, chats, and SMS messages in one inbox and offering people @facebook.com email addresses — security engineer Joey Tyson tweeted, “Do you really want all your e-mail, IMs, and texts combined with all the data Facebook already has about you?”

SomeEcards expressed it different (at right): “One benefit to Facebook’s new email system is that your privacy can now be violated all in one place.”

One privacy protection model is to scatter your data about to make it more difficult to parse, akin to keeping valuables in different hiding spots in your house to thwart intruders getting everything in one go. For this reason, some people may be uncomfortable making Facebook their one-stop-shop for photo sharing, friend accumulation, and email storage. Another issue that may give the privacy-conscious pause is the fact that a Facebook permission exists that gives application developers the ability to download the content of your inbox…

[...]

If a user gives an application the “read_mailbox” permission, that application can have a field day with your private communications — downloading the content of a message, when it was sent, who it was sent to, etc.

[...]

The read_mailbox permission is not some kind of security oversight on Facebook’s part. “As with many products, we opened up an API for messages to make it possible for developers to create new opportunities on top of Facebook products,” says a Facebook spokesperson. “For example, with the messages API, a developer could create an application that people could use to read their Facebook messages directly from their desktop.”

She reiterated that an application can only rifle through a Facebooker’s messages if he or she “grant[s] expressed permission for the application to access his or her inbox on their behalf. And they can end that connection at anytime.” A recent post on the Facebook Developers blog reassures developers that they’ll still be able to access users’ inboxes with the permission with the new Facebook Messages.

Facebookers, here’s another reminder to pay attention to what an application asks permission to do when you add it to your Facebook page. And to think twice before deleting your non-Facebook email accounts.