Update: I think Facebook are onto this; luckystar_profile is just one app that is doing this (I’ve now seen many more), and all have been removed by Facebook. Unfortunately, the spam photo albums are still everywhere.

Yesterday afternoon, I received a Facebook notification from a friend I haven’t seen for about 6 months. It said she’s tagged me in a photo album, called “Who is checking my profile? – Mar 14 2010 07:54”. This struck me as pretty weird – since I hadn’t seen this friend for a while, I didn’t think there was much chance I could have been tagged in a photo recently. I checked the email was really from Facebook – it was – and the message also appeared in my new notifications within the Facebook system, so it wasn’t a case of sneaky phishing.

The original tag notification email, showing a very weird album name

The weird thing is, the very same minute that I got this bogus notification about being tagged in a picture, I got a notification that this same friend had commented on a picture of mine, with a really suss looking lin.

The spam link that accompanied being tagged by the sfapp

I sent a message to my friend telling her I thought her Facebook account had been hacked; she got back to me to tell me she’d changed her password as a precaution, and I thought nothing more of it – the internet is full of nasties that try and steal your identity and access.

Then, over 24 hours later, I logged into Facebook and saw something much more widespread and concerning.

Tonight I went look for a photo I’d uploaded a week or so ago, and I clicked on the “Photos” icon on the left hand navigation. What I saw stunned me – many of my friends all had a very similar most recent album. 11 out of the 20 photo albums displayed – 55% – were showing this spam/phishing application’s calling card as their default picture/most recent album.

All of the red squares shows a friend who's been hit with this facebook spam app, of sfapp

Looking more closely, all of these albums were from a sfapp (Spam Facebook App) called “luckystar_profile” (http://apps.facebook.com/luckystar_profile).

I’m not sure yet how it works – and don’t dare install the application in case it then screws with all of my photos and tries to get my friends to install something malicious – but in any case, it is clearly another example of Facebook’s Apps support ruining the user’s experience.

Facebook, the answer is very straight forward.

Remove all apps from your platform.

If you’re not to prepared to do this, then at least stop apps from sending messages, putting in notifications, or messing with user’s data like photo albums.

If people want to have a farm or raise virtual fish, knock yourselves out – just don’t let any application write to anything in a user’s Facebook account.

Clearly app developers can’t be trusted, and this sort of crap is going to drive users away to the next big thing – the same way auto-loaded crap music drove people from MySpace to your service.