A new browser add-on, Google+Facebook, claims to make it easy to view your Facebook stream right inside Google+. While the idea of this is awesome, simplifying your social media life into one place, the implementation has been outed as a security risk, even approaching the level of malware.
A Reddit commenter scanned through the code of Google+Facebook, and found some things that may be worrisome given the personal nature of data shared on Facebook and Google+. Here are some of the issues that have been found with this plugin:
- It changes your default search engine to a page that the plugin developer controls, presumably creating additional revenue for the developer without your permission. This is a stealth change, as it still looks like you are searching with Google, but you are actually on a custom search page. This change does not get reset after uninstalling.
- It actively (and at random) looks for known webmail domains on your machine and starts reading your emails until it hits a quote block, which it then uses to append a signature to your emails in order to get your friends to start using their software. LockerGnome writer Kelly Clay reported that Gmail alerted her of unauthorized access to her account from Amazon AWS on July 8, right after she installed the Google+Facebook plugin.
- Finally, the “Easy to Uninstall” claim that the developer makes is incorrect. Uninstalling the plugin does not affect the malware going on behind the scenes, and you are still sending the company your data even if the plugin is uninstalled.
If you’d like to remove Google+Facebook completely, here’s how to do it:
Remove Google+ permissions from your Facebook settings.
Log into Facebook and go to Privacy Settings -> Applications. Remove all permissions associated with “Google+.”
Remove the browser plug-in and restart your machine.
In Firefox, you can remove the plugin in Tools -> Extensions. In Google Chrome, paste in chrome://extensions/ into your address bar and remove the Google+Facebook extension. Restart your machine after this.
If you installed the plugin in Firefox, perform additional cleanup.
The Google+Facebook Chrome extension can be totally disabled by disabling the permissions in your Facebook and deleting the plugin from Chrome. However, the Firefox plugin is a bit more malicious, so if you installed the plugin with Firefox, there are a few more steps you need to take to ensure everything is back to normal.
- Go to about:config
- Right click on the following search engine settings and reset them back to the Firefox default:
- Right click on the search icon (the Google icon if you are using Google), and select “Manage Search Engines.” Find the one with the OpenSearch Icon and remove it. Set the default search back to Google (or whatever you want to use).
- Restart Firefox and make sure your search engine actually searches at Google.com and not the OpenSearch site. If this is the case and you no longer have permissions in Facebook, you are totally cleaned.
While the idea behind Google+Facebook is cool, and lots of media outlets are saying this plugin is the best thing ever for users of both sites, you always need to be careful before allowing plugins and applications to access your data on social media sites. Just because it claims to do something that you want doesn’t mean its not doing something nasty behind the scenes.