A friend on Facebook invited me to try the “X Me” application. It sounded a little silly but it was a person I respect, so I clicked on it. As soon as it installed, it popped up a list of more or less everyone I knew asking if it was OK to mail invitations to them. I said “no”, and then (weirdly) it popped up one other name and I said “no” again. Now I’m getting messages from people asking if I really think they should install “X Me”. This, obviously, is a virus.

As of now, I ain’t installing any Facebook apps unless someone I know and trust lets me know, in a personal and one-to-one way, that they’re using it and it works as advertised and isn’t a scummy virus.

In Facebook, nobody can hear you scream. Except your “friends”. A blog is different.


Comment feed for ongoing:Comments feed

From: Gideon Addington (Jun 17 2007, at 00:56)

Well, I think "virus" may be going a bit too far. Almost all the Facebook apps I've used are a bit annoying with the "invite everyone" aspect.

I've been using X Me without any trouble at all since installing... and even the megaapps (like iLike) try to get you to invite everyone you know.

Unfortunately, the open API thing may end up working against Facebook.


From: Gareth McCaughan (Jun 17 2007, at 02:12)

Gideon: if something asks you whether it's OK to mail all your friends, *and you say no*, and then it mails them anyway, that's pretty virus-like. No?


From: David Megginson (Jun 17 2007, at 05:28)

Gideon: if it sent messages without permission to Tim's contacts inviting them to install X Me, then it's a virus (or a worm), not just an annoying app. In fact, I suspect that in some jurisdictions, the author could face criminal charges.

Tim: I know that it can be embarrassing when an old tech hand like you gets caught by something like that, but I'm glad that you decided that the greater good of sharing the information outweighed any personal concerns.

The situation is far worse for MSN Messenger, especially since so many of the users or children or teens. I installed Windows XP on an old computer for one of my daughters so that she could use the features like VoIP and nudges (!!) that don't work with the Linux MSN clients. Unfortunately, MSN Messenger seems to allow people to run native windows code sent by contacts with minimal user intervention, and it didn't take long for the whole computer to become infected with spyware and adware. She voluntarily went back to using Web Messenger in Firefox under Linux for a while.


From: Gideon (Jun 17 2007, at 09:23)

Ahh, I apologize.. I misread the statement regarding it "emailed them anyway." Late night. :)


From: James Justin Harrell (Jun 17 2007, at 10:18)

From Wikipedia:

A virus can only spread from one computer to another when its host is taken to the uninfected computer ... A worm, however, can spread itself to other computers without needing to be transferred as part of a host.

I've also been annoyed lately by invitations from Facebook apps. The worst part is that I don't see an option to disable them. I've actually thought of unfriending people who I get lots of notifications from, just so I won't have to get them anymore. It's strange that all other kinds of notifications can be turned off, but these can't.


From: David Hall (Jun 17 2007, at 10:53)

I'm not going to pretend like facebook's system is perfectly secure, but what you're describing is not supposed to be possible. So, maybe X Me is a virus, or maybe facebook was momentarily borked (which happens quite frequently from my experience with developing facebook apps).

Theoretically, if person A has not added an app (as in invites), if the application tries to send a notification to that person, the sender of the invite must confirm on facebook. As in, all the application receives is a url, which it redirects the user to on facebook's servers where the user confirms sending the invite. One big complaint from developers has been that facebook doesn't even tell the app if the invite was confirmed (use case: some people don't confirm sending because they made a typo in the invite message, but responsible applications think the person has already been invited and doesn't let the user go back and invite the person again).

There may be a way for X Me to spoof a confirmation, but theoretically, all they can do is redirect someone to the url provided in the response as shown at http://developer.facebook.com/documentation.php?v=1.0&method=notifications.sendRequest


From: Ivan Krstić (Jun 17 2007, at 12:06)

Facebook is in the process of changing the interface that's made available to applications for sending invitations to a user's friends. They're making a standard form for this purpose, so this kind of automated invitation spamming will no longer be possible. (Note: I am not a FB spokesperson.)


From: Erich Bratton (Jun 17 2007, at 13:16)


Yes, I built a facebook app. Or more correctly, I ported an existing webapp to run inside of facebook. And I have very few users on it, somewhat to be expected, since my app is a giftlist which requires family members to be useful, not just college friends, and facebook's audience hasn't quite expanded to include families yet like they want/expect to. Maybe by the end of the year.

But what pisses me off about this is that the big facebook apps (defining big by number of users, what else is there for a metric?) have to resort to this kind of "cheating" or pushing the boundaries of what is acceptable.

If an app spreads "virally" by the best-intended use of the term, where one user see it on another user's page and decides to install it, then great! But to spam your friend list? Yuck.

Ho hum. I guess my GiftList will be on the slow growth path for a while...



From: Asbjørn Ulsberg (Jun 18 2007, at 01:09)

I too invited all of my friends to add the "X Me" application, even though I clearly clicked the "no" button. Whether it's a virus, a worm or just annoying doesn't matter. I'm glad it's being fixed in a future rev of the Facebook API, because this should obviously not be possible.


From: chips (Jun 18 2007, at 18:10)

I'm the author of X Me (though it's now run by rockyou, and I've not done much on it recently due to exams and end of year celebrations) and I'm pretty intrigued by the invite problem, which I've got a few complaints about. Basically, if we want to compete in terms of numbers, we have to use invites. But we're definitely not trying to spam all your contacts, and it isn't possible due to the fact that facebook makes sure you have to confirm them all. I'm not sure what people mean by clicking the "no" button... since the only links are "Invite friends", which invites the select friends, or "Skip invites", which takes you to the main application page. Maybe a bit more explanation of the exact process people are doing to get this issue?


From: Joshua Haberman (Jun 18 2007, at 22:17)

To clear up some questions about what apps can/can't do on Facebook:

* apps can send "invitations," "requests," and email to you only if you have the app installed, or your friend specifically confirmed it.

* however, apps can send "notifications" to anyone. these show up in the corner like requests and invitations, but don't get their own icon, and don't have any buttons.

I know this because I wrote the notification support for the BillMonk app on Facebook.


author · Dad
colophon · rights
picture of the day
June 16, 2007
· The World (147 fragments)
· · Life Online (273 more)
· Technology (90 fragments)
· · Web (396 more)

By .

The opinions expressed here
are my own, and no other party
necessarily agrees with them.

A full disclosure of my
professional interests is
on the author page.

I’m on Mastodon!