Today I got some Facebook spam. It’s the first time it’s happened, it came from a friend and it ended up on my wall. After Twittering about it, Ray pointed me towards these posts on the Facebook blog. So it looks like the problem lies in people giving their username/passwords out to random sites with promises of apps (or something). These sites then take control of a user’s account and send out a barrage of spam.
Okay, now for the rant. The reason this is happening in part is Facebook’s own fault (as well as a lot of other parties). Part of the way these sites have expanded at the speed they have is by asking people to enter their email username/password and then crawling their contact list and showing users/sending out invites appropriately. By encouraging this kind of behavior, Facebook makes it seem okay to give a site (even one you trust) your username and password, which it shouldn’t be. Ever. Period.
OAuth attempts to solve this problem by bouncing you over to the other site for approval, rather than asking for the login info. Google has implemented a version of this, but it’s still not being used by many sites (the only integration I’ve seen is Dopplr).
Now Facebook isn’t alone in this one. Every social site has a feature like this where they ask for email usernames and passwords. This is bad for business.