Google+Facebook, developed by Israeli developer Crossrider, lets users see Facebook streams and update Facebook statuses from within the Google+ platform. The extension has thus far proved popular: according to company execs, there have been over 100,000 downloads in just one week.
Unfortunately, the code may be insecure. Crossrider CEO Koby Menachemi admitted himself that the application was written in less than a day, and so “the product is not perfect.” Taking this fact into consideration, it’s not impossible that Crossrider’s coders may have missed something.
Questions about Google+Facebook’s possible security issues were raised over the weekend, when Reddit user RogueDarkJedi posted comments on a story promoting the app. In the comments, RogueDarkJedi alleges that Google+Facebook “acts like malware,” and says it’s a “security vulnerability waiting to happen.”
What’s in question is the app’s behavior. Google+Facebook must download an external JavaScript file at every launch, in order for it to work. Mozilla has frowned upon this practice, as it puts all users of an app using such a system at risk in the event that the server hosting the script is compromised.
The app also does a number of other seemingly unscrupulous things, such as changing search preferences to a site controlled by Crossrider and appending a signature to e-mail messages sent on certain webmail providers. Uninstalling the app reportedly does not remove many of the changes Google+Facebook makes.
“So should you trust these guys? In my opinion, [expletive deleted] no. Do NOT install this, it does more harm than anything. Stay the hell away,” RogueDarkJedi wrote in the comment.
The post caught the attention of Crossrider, who responded to a Lifehacker post about the application, in which Lifehacker recommended its readers not install the app. Cofounder and CTO Shmueli Ahdut shot back, saying the way Google+Facebook auto-updates is “at the edge of extension-technology today,” and that no changes are made without the user’s permission.
RogueDarkJedi updated his post saying that the company was not being honest with its users, and that its code was still sloppy: “Stop lying to your users and to Reddit. Clean up your code, issue an apology, tell your users what they are getting into and secure your platform.”
In any case, if you have downloaded the app, it may be a good idea to uninstall it for now. Personally, I think the whole point this Reddit commenter makes about the application constantly going back to Crossrider’s servers for that JavaScript file is very valid.
All it takes is AntiSec one time to hack into Crossrider’s servers and mess with that JavaScript file. Soon your computer could be doing a lot more than just putting your Facebook stream on Google+. With 100,000+ users, it’s certainly an easy (and attractive) target.
For more tech news and commentary, follow Ed on Twitter at @edoswald and on Facebook.