Facebook Applications Can Download All the Messages in Your Inbox

Hello Facebookers! It is time to pay more attention to what an application asks permission to do when you add it to your Facebook page. And to think twice before deleting your non-Facebook email accounts.

Security engineer Joey Tyson tweeted, “Do you really want all your e-mail, IMs, and texts combined with all the data Facebook already has about you?” When Facebook rolled out its new Messages feature earlier this month — combining emails, chats, and SMS messages in one inbox and offering people @facebook.com email addresses.

Our issue that may give the privacy-conscious pause is the fact that a Facebook permission exists that gives application developers the ability to download the content of your inbox…

Here’s a screenshot of the permission at right. If a user gives an application the “read_mailbox” permission, that application can have a field day with your private communications — downloading the content of a message, when it was sent, who it was sent to, etc.

Running your email primarily through Facebook potentially exposes you to contact with these third parties, so it may be a reason to stick with Gmail, Hotmail, Yahoo, or, if you don’t care about your digital image, AOL — email providers who let computer bots read your email and serve up ads based on the content, but don’t otherwise give third parties access to your communications. (Unless the po-po ask for them to hand it over.)

The read_mailbox permission is not some kind of security oversight on Facebook’s part. “As with many products, we opened up an API for messages to make it possible for developers to create new opportunities on top of Facebook products,” says a Facebook spokesperson. “For example, with the messages API, a developer could create an application that people could use to read their Facebook messages directly from their desktop.”

She reiterated that an application can only rifle through a Facebooker’s messages if he or she “grant[s] expressed permission for the application to access his or her inbox on their behalf. And they can end that connection at anytime.”

So, we think it is a good time to pay more attention to any facebook application.