1

Think of apps and you probably think of your smartphone. After all, Apple pretty much built an iPhone empire around the concept of apps and users of Android and Windows handsets are just as hooked. Truth be told though, and this 'Age of Apps' has spread far beyond the smartphone sphere. Nowhere is this more apparent than in the social media space.

dweb-profilestalker Facebook is awash with apps, ranging from the useful to the useless. Many of them fall into the 'simply annoying' category, involving the distribution of games invites or high scores to the largely unimpressed and totally uninterested circle of friends of the user. Unfortunately, far more than is healthy have also come along and slotted quite nicely into the security or privacy risk category. Apps which pretend to do one harmless thing but actually perform a far more harmful other, be that leading to malware infection, spamming or phishing attempts.

One popular security risk app type on Facebook over the years has been the 'profile tracker' which promises to reveal who has been looking at your profile recently. Of course, no app can do any such thing, but that doesn't stop people falling for the scam every time such an app is released. And it doesn't stop those people from being at risk of malware infection or account hijack either. As users of the popular social media micro-blogging service Tumblr are now discovering for themselves.

Just like Facebook, Tumblr users can install a whole bunch of different apps to provide additional functionality and fun to the Tumblr experience. GFI Labs, however, has discovered one app that adds neither. Actually, that's not quite true as it does add functionality in the form of gaining itself read and write permissions so it can post and edit blog content using your account. Which isn't a lot of fun.

The ProfileStalkr app is doing a fine job of using these read and write permissions to spread the word about itself across Tumblr at the moment, picking up more naive victims along the way. It promises, as with those rogue Facebook apps I mentioned before, to reveal who has been looking at your profile on Tumblr. Unlike those Facebook apps which are best thought of as simply being a route to a cookie-cutter website with a survey (either for the purposes of relieving you of personal information or getting an illicit income for each survey completed, and often a combination of the two) the Tumblr rogue app is more of a cookie-cutter website with that survey but in addition an installable application for good measure.

The app requires users to login to Tumblr for 'authorisation' purposes and to allow the software to supposedly start tracking and analysing profile views. This also requires the user to grant ProfileStalkr read/write access to the account and an advert to spread the word is immediately posted for your circle of friends to see.

Users who have still not cottoned on, are directed to the ProfileStalkr website which encourages them to unlock the names of their stalkers by clicking on a button which pops up a survey, surprise surprise. By this point the penny will probably have dropped and off the user goes to change their password. Which solves nothing, as the 'post by email' Tumblr functionality can be used to post stuff to your 'secret address' regardless. At least until the user, assuming they were aware of the option, changed that address as well.

To remove ProfileStalkr, Tumblr users need to visit their account settings, click on the apps section where they can revoke access. GFI Labs recommends changing your login password and resetting your post by email address as additional safety measures, just in case you've fallen for some similar scam before and didn't realise it!

Edited by happygeek: unstuck

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

5
Contributors
5
Replies
7
Views
5 Years
Discussion Span
Last Post by LastMitch
0

I'm not an avid user of tumblr, will give it a try soon. And thank you so much for the article so I can be careful next time I visit my tumblr account.

0

AmusingVideos.net is a place where we gather the funniest, amazing and amusing videos, movies and video clips from YouTube.com. Each user can add their own movies and comment on others' movies so get your account right now. Best of YouTube is waiting for you. http://amusingvideos.net/

0

To remove ProfileStalkr, Tumblr users need to visit their account settings, click on the apps section where they can revoke access. GFI Labs recommends changing your login password and resetting your post by email address as additional safety measures, just in case you've fallen for some similar scam before and didn't realise it!

It's very disturbing to have an app called ProfileStalkr. I don't have Tumblr account (yet) but after reading this I might consisted not opening one. There are nice girls on Tumblr, mostly models not nude.

Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.