Facebook third-party application developers have been granted access to home addresses and mobile phone numbers of users, it has been warned.
Although members have to allow third-party applications to access such data, Sophos said the move by the social network could leave users in more danger from “rogue apps.”
These apps can be found across Facebook, often posting spam to users’ walls or linking to surveys which will earn the scammers money through commission.
Others have even tricked users into handing over their mobile numbers.
"Now, shady app developers will find it easier than ever before to gather even more personal information from users,” said Graham Cluley, senior technology consultant at Sophos, in a blog.
“You can imagine, for instance, that bad guys could set up a rogue app that collects mobile phone numbers and then uses that information for the purposes of SMS spamming or sells on the data to cold-calling companies.”
The move will also open up more avenues for cyber criminals to steal someone’s identity.
“It won't take long for scammers to take advantage of this new facility, to use for their own criminal ends,” Cluley added.
“Wouldn't it [be] better if only app developers who had been approved by Facebook were allowed to gather this information? Or - should the information be necessary for the application - wouldn't it be more acceptable for the app to request it from users, specifically, rather than automatically grabbing it?”
A Facebook spokesperson said developers have been handed the ability to request permission to access addresses and mobile phone numbers "to make applications built on Facebook more useful and efficient."
"You need to explicitly choose to share your data before any app or website can access it and no private information is shared without your permission," the spokesperson added.
"As an additional step for this new feature, you're not able to share your friends' address or mobile information."
A variety of threats can be found on Facebook and Websense has warned a fresh Koobface scam has spread across the social network.
The illicit initiative has sent out direct messages from compromised accounts. One tactic employed by the cyber criminals was obfuscation of a malicious URL linked to in each message.
“Another tactic is the use of open redirects on the facebook.com domain itself. This gives the URL a more credible look (social engineering), as well as helping it pass basic security checks,” Websense warned in a blog.
“Usually, Facebook alerts users if they're about to browse to a link outside of its domains, but no alert is triggered in this case.”
This article originally appeared at itpro.co.uk