PoX: Protecting users from malicious Facebook applications

Online social networks such as Facebook, MySpace, and Orkut store large amounts of sensitive user data. While a user can legitimately assume that a social network provider adheres to strict privacy standards, we argue that it is unwise to trust third-party applications on these platforms in the same way.Although the social network provider would be in the best position to implement fine-grained access control for third party applications directly into the platform, such mechanisms are still missing. Furthermore, recent press releases do not indicate that such mechanisms will be put in place in the near future. Therefore, we introduce PoX, an extension for Facebook that makes requests for private data explicit to the user and allows her to exert fine-grained access control over what profile data can be accessed by individual applications. By leveraging a client-side proxy that executes in the user’s web browser, data requests can be relayed to Facebook without forcing the user to trust additional third parties. Of course, the presented system is backwards compatible and transparently falls back to the original behavior if a client does not support our system. Thus, we consider PoX to be a readily available alternative for privacy-aware users that do not want to wait for improvements implemented by Facebook itself.