Looks like it’s not enough for users to take action to prevent Facebook accounts from being hacked when the site is exposing user details for them. Mashable received a confirmation email from Facebook saying that this was a bug in a regular code push. With repeat incidents such as this, it’s obvious that the company’s QA (Quality Assurance) process is lacking, but with 400M+ users to satisfy, and infrastructure to constantly scale up, it’s no doubt a challenging task.

Did you notice anything amiss in your or a friend’s account last night? Have you had other privacy issues with Facebook? Do you feel that setting your privacy options in your profile is too complicated? Or do you think that no one cares about privacy on Facebook, mirroring something their CEO Mark Zuckerberg is said to have uttered recently?

If a user falls for this trick, the exe installs a rogue antivirus Security Tool on the computer. Once installed the virus continues to display misleading virus infection messages, restarts the computer every now and then, prevents the users from running executable files and occasionally renders the computer unusable by displaying a blue screen of death.

The full content of the email is pasted below:

Dear Facebook user,

Due to Facebook policy changes, all Facebook users must submit a new, updated account agreement, regardless of their original account start date. Accounts that do not sumit the updated account agreement by the deadline will have restricted access to Facebook.

Please unzip the attached file and run “agreement.exe” by double-clicking it.

Thanks,

The Facebook Team

We are all too familiar with these hoax mails from the days of Hotmail and Yahoo Mail, when users received such emails and had to follow certain instructions in order for their email accounts to remain active. With the popularity of Facebook, the malicious entities have now switched their focus towards the social networking giant.

Panda Security Labs, a web security firm, has detected 16,000 Account Update email messages sent out to Facebook users since yesterday.The massive flooding of recent hoax chain message, regarding Automation Labs and the paranoia that it created, suggests that a large majority of Facebook users receiving such an email would likely fell for this trap.

If Facebook would ever have to communicate with you, it would do so via a message in your Facebook message box, rather than an email message. Be advised and not to open any such email. Make sure to let your Facebook friends know about this latest threat as well.

If Arrington’s sources are correct, one of those products may very well be an email product. So what sort of benefits would a Facebook email product have? We will speculate about some of the features that we hope to see in the new product.

Automatic Filtering By Strength Of Connection

One of the greatest opportunities Facebook has is to identify the strength of our various relationships. Without an email client, Facebook was fundamentally at a disadvantage to Google and Yahoo when it came to monitoring individuals’ communications. While users like to communicate via Facebook’s messaging system, there is still a large number of users which manage most of their communication through email.

For those individuals, determining how strong a relationship is cannot necessarily be determined by the number of times they click on someone’s profile. Instead, Facebook needs to know how often users are communicating with each other completely. Through developing the most efficient digital communication tools, Facebook can continue to improve their ability to monitor the strength of our relationships.

This information can be used to accomplish numerous things, most importantly: optimizing our communication. Facebook can determine what messages matter most to us and cut through a lot of the clutter. While we are still not at a point where Facebook has completely determined how strong our real-world connections are, launching an email service brings the company one step closer to that point.

Once that’s complete, Facebook can automatically filter out information which is most likely not related to us, based on who it’s coming from. If that person is not closely related to you, the messages will be of decreased focus.

Application Attachments

While Facebook already has enabled developers to add applications to inbox messages, there is still no way of adding applications to any email clients as an attachment. Rather than receiving an email message with an image, imagine receiving an application attachment which plays a song or displays an interactive game, without even having to download the object.

Facebook’s inbox already enables this, however it’s well know Facebook’s existing messaging platform has numerous weaknesses. By extending the attachment feature to email, Facebook will immediately have a competitive advantage over other email clients. As is the case with other platforms (phones, social networks, etc), which email we use may eventually be determined by the applications available to that email client.

Friend List Filtering

As we previously mentioned, Facebook should be able to optimize your messages based on the strength of your connection with someone, however they should also have friend list filters built into their system. Being able to grab all emails based on your affiliation group is extremely useful. Enabling this sort of functionality would also encourage users to take advantage of friend lists (something Facebook currently views as a “power user” feature).

Email Will Tell You How You Are Connected

Did you just receive a message from someone who was perceived as a random connection? While they can tell you how they know you, what if your inbox immediately told you how you were connected? Facebook now has over 400 million users and continues to grow rapidly, which means they have the ability to tell you how you are connected to a large percentage of the global internet population (which is currently around 1.7 billion users).

As Facebook grows to become the defacto communication tool on the web, it will be important to understand how you are connected to someone and be able to immediately view mini-profiles of those individuals. Imagine mousing over a user’s email address or name and instantly being able to see who they are, not just their email address.

Have greater context to the communications we have is extremely important and we can only hope Facebook will surface this type of data to users of their new email client.

Expansion Beyond 5,000 Contacts

Finally, we’d like to see Facebook expand their service beyond 5,000 “friends”. While it’s true that our immediate circle is limited in size, some individuals must keep in communication with numerous individuals. Being able to have at least some form of limited connection to the people who you exchange emails with is important.

Conclusion

While Facebook’s email product is still a rumor, we are hoping that the company launches the service in the near future. In our view, Facebook has the opportunity to significantly improve (if not revolutionize) the email experience. While we can already envision tons of privacy issues related to a Facebook email product (who’s profile information can you view within your emails, etc), we have been anticipating Facebook Mail (FMail?) since early on. What features would you like to see in a Facebook email product?

The problem is, that email notification address is accessible by anyone.  Meaning that if someone were to find that email somehow, they could respond on this thread, regardless of whether they’re your Facebook friend. Unfortunately for Facebook, it’s relatively difficult to control this security vulnerability. As Jacob Friedman points out:

While Facebook scammers still spam comments from accounts that get passwords stolen or phished, this type of hack is much more difficult for Facebook to control. Where Facebook could simply lock compromised accounts out until their owners change their passwords, it’s much more difficult for Facebook to fix compromised email accounts. It would be difficult for Facebook to work with email providers, especially smaller ones, to get compromised account holders to change their passwords. Facebook’s only recourse might be to delete the accounts of users with compromised email accounts.

So yes, there’s very little you can do to protect yourself against this problem aside from using good email security practices. Awareness, however, is the best form of protection! As a side note, this feature has been long requested and was certainly welcome from me, with my many, many status update comments posted to my profile (/sarcasm).

The problem is, that email notification address is accessible by anyone.  Meaning that if someone were to find that email somehow, they could respond on this thread, regardless of whether they’re your Facebook friend. Unfortunately for Facebook, it’s relatively difficult to control this security vulnerability. As Jacob Friedman points out:

While Facebook scammers still spam comments from accounts that get passwords stolen or phished, this type of hack is much more difficult for Facebook to control. Where Facebook could simply lock compromised accounts out until their owners change their passwords, it’s much more difficult for Facebook to fix compromised email accounts. It would be difficult for Facebook to work with email providers, especially smaller ones, to get compromised account holders to change their passwords. Facebook’s only recourse might be to delete the accounts of users with compromised email accounts.

So yes, there’s very little you can do to protect yourself against this problem aside from using good email security practices. Awareness, however, is the best form of protection! As a side note, this feature has been long requested and was certainly welcome from me, with my many, many status update comments posted to my profile (/sarcasm).

The problem is, that email notification address is accessible by anyone.  Meaning that if someone were to find that email somehow, they could respond on this thread, regardless of whether they’re your Facebook friend. Unfortunately for Facebook, it’s relatively difficult to control this security vulnerability. As Jacob Friedman points out:

While Facebook scammers still spam comments from accounts that get passwords stolen or phished, this type of hack is much more difficult for Facebook to control. Where Facebook could simply lock compromised accounts out until their owners change their passwords, it’s much more difficult for Facebook to fix compromised email accounts. It would be difficult for Facebook to work with email providers, especially smaller ones, to get compromised account holders to change their passwords. Facebook’s only recourse might be to delete the accounts of users with compromised email accounts.

So yes, there’s very little you can do to protect yourself against this problem aside from using good email security practices. Awareness, however, is the best form of protection! As a side note, this feature has been long requested and was certainly welcome from me, with my many, many status update comments posted to my profile (/sarcasm).

While most developers are concerned about the deprecation of notifications, there will be 30 days until the existing Facebook notification system is deprecated. Between now and then, Facebook will be testing the new counter system and new homepage design. The new counter system is already in beta mode and can be tested by developers. While the shift to the new system may negatively impact some applications, Facebook’s timeframe should enable most application developers to make a smooth transition.

If you want to learn more about how user email addresses will be integrated with applications, read this article. Facebook has a number of user protections in place under the new system, however email addresses are email addresses and once developers have them, there’s always a risk for spam. Do you welcome the new system or do you think this is going to result in a wave of spam problems?

User Protections

In preparation for the transition, Facebook has highlighted complete details of how this will function for developers. Most significant are the numerous safe guards Facebook has put into place
to avoid abuse by third-party developers.

Email Domain Setting

The first protection Facebook is putting into place is the creation of a email domain setting, from which developers will have to specify the domain which emails will be coming from.

As Facebook states, “This is to safeguard against users’ email addresses being sold to third parties.” While Facebook doesn’t specify how they will ensure emails won’t be sold, the assumption is that among those developers who are suspected of abusing the system, Facebook will investigate and based on their findings they will shut down those developers who are in violation. Whether or not this layer of protection will be sufficient for protecting users is unknown.

User Education

The other step Facebook is taking to protect users is education about the new functionality. When users visit an application that request access to their email address, they will see a dialog (pictured below) at the top of every application canvas page which promotes the new feature. According to Facebook:

We will display these dialogs to all canvas application users — on every application they visit — for their next three sessions with each application. We’ll leave these dialogs up for three months after we launch email functionality, so that a user will see the prompt any time they visit your application during this period.

Proxied Email Addresses

In addition to educating users about the removal of notification and the sharing of email addresses, users will have the option to use a proxied email address if they wish to in order to completely protect against spam. This is an optional setting which Facebook decided to implement after extensive testing. As Facebook states, “In our tests we found that users strongly prefer having the option to share an anonymous email address.”

Additionally, if Facebook determines that an application is abusing the email settings, Facebook will set the user’s email address to the proxied version by default. This will be based on an automated algorithm, meant to detect abuse.

User Experience

While most of the user experience has been shown in the pictures above, we thought it would be useful to clarify the process which users go through when granting an application access to their emails. One thing to keep in mind is that applications can require users to grant access to their email. Alternatively, developers can make email access optional as it is at their own discretion. Developers should probably perform a fair amount of A/B testing going on as this new feature is rolled out to determine what the most effective balance is.

If you choose to request email permissions, the user will be prompted with the dialog below. Following their approval, users will continue to see the dialog pictured above, notifying them that they are sharing their email address with the developer of the application.

Email Address Disclosure Results Are Unknown

So what will the impact of the new email address permissions result in? Ultimately the change will be almost unnoticeable in the short-term as applications will function almost identically to how they previous did. Within 30 days of the launch of email permissions though, applications notifications will be deprecated. While abuse is possible, Facebook believes that the three primary protections put in place will be sufficient.

I can only imagine the future articles about applications which are set up for the purpose of collecting emails, however this is a transition that needs to be made. Facebook believes that the gradual opening of their platform presents a competitive advantage and will ultimately establish the company as the leading online identity provider. This is truly a huge milestone in the world of online identity and authentication but we’ll have to wait and see what the impact is.

Do you think Facebook’s decision to allow developers to request access to user emails is a step in the right direction? What do you think the impact will be?