Recently, Roger Thompson, chief research officer at security firm AVG, discovered over half a dozen Facebook applications that had been compromised by malicious hackers. Although the apps’ reach was small with relatively few users being affected, Thompson was concerned because it was the first time he had seen apps themselves hacked as opposed to something like Facebook profile pages, a common target for the still-spreading Koobface worm.

While this incident alone wouldn’t generate much excitement given the low-profile nature of the applications affected, it’s not the only example of unsafe applications on Facebook.

Hacked Apps Found Forcing Malicious Software on Users

In the case of the hacked Facebook apps found by AVG, the apps had been compromised by the use of “iframes,” which are bits of code embedded in the applications themselves. The iframes were able to load content from malicious websites into the applications’ pages on Facebook.com, directing app users to install software on their computers by purporting to be an update for an out-of-date Adobe Reader product.

At first, Thompson thought the apps had been hacked by the developers, but as it turned out, it was the developers who were the victims. After looking at the source code for the apps in question, Thompson found that the iframes had been injected into the apps’ code due to infected software on the developers’ PCs.

Facebook quickly reacted to the situation and took down the compromised apps while also contacted the developers to warn them of the issue.

Thousands of Apps Vulnerable to Attacks

While hacked Facebook apps may still be a bit of a rarity today on the popular social network, security vulnerabilities that could lead to malicious attacks are not. After spending a month on Facebook looking for application bugs, another security researcher made some disturbing findings.

Specifically, the researcher, who goes only by the handle “theharmonyguy” online, was looking for a specific vulnerability he referred to as a “FAXX Hack.” FAXX stands for “Facebook Application + XSS + XSRF” or, in other words, a cross-site scripting vulnerability - a certain type of security hole that could allow a hacker to access profile information, including personal details, status updates, and photos of a victimized user and their friends.

The findings showed that many Facebook applications, even those that were widely used and considered trustworthy, lacked basic security precautions. (NYT)