You come across an interesting article title and click on the "Read more" link. It takes you to a sign in page. How annoying. Luckily, you don't have to create a new account and remember another password because conveniently, you can sign in with Facebook or Google.
You sign in with Facebook, skim through the permissions and finally get to read that article. At least that's the only thing you consented to…right?
Whilst most apps will only access your Facebook profile name, photo and email address, some apps will ask for more permissions. Despite being reviewed by Facebook prior to being published, it is still imperative that you know exactly what you are consenting you when you login to an app with Facebook.
It begs the question - I've consented to the app permissions - now what? The screenshot above shows an example of an app and the permissions it has to a Facebook account.
Other permissions you could be granting include:
- Access to respond to your Instagram direct messages
- Post videos or photos directly to your Instagram Business feed
- Access to your Facebook timeline posts
- Access to your Whatsapp Business messages
There could be legitimate reasons for needing these permissions eg. an AI chatbot app that automatically responds to your Instagram Business direct messages for people asking for your business opening hours.
If you're a business owner, protecting your business Facebook, WhatsApp, Instagram or social media channel is crucial.
Here are tips on how to stay safe:
- When signing up to an application or website with a social media account, review the permissions the site is requesting.
- If you want to review the permissions for applications or websites you've already consented to, follow the social media application's steps to review app permissions. In Facebook, this is under Settings and Privacy > Settings > Apps and websites. From here, select an app and review any permissions these apps currently have access to. Remove them to revoke access to your Facebook information.
- Always look for signs of phishing in emails and on websites. Some will show an option to login via Facebook or Google, but they could be malicious sites setup to look like a Facebook or Google login page to steal your credentials. Check the URL in the window and look for signs of spelling mistakes or distorted images.
- Enable multi-factor authentication on all social media accounts. Even if an attacker has your Facebook credentials, they won't be able to login or sign up to anything if they don't also have access to your mobile to retrieve that one-time code to complete login.
- If your app or website allows your customers to login via a social media account, it's recommended to get a security test (penetration test) to ensure it's been setup securely to protect your customers and your business' reputation.
