Currently, many users of computers and mobile telephones make use of popular Web sites such as Twitter, Facebook, DropBox, etc., in order to use the services that the these Web sites provide. In addition, there are many third-party software applications designed for use with these Web sites that provide additional services for a user. Typically, a third-party application will require that the user grant the application access privileges to the user's account for the Web site in question.
Unfortunately, some of those third-party applications are malicious and may take actions that the user does not expect and does not want, even though the user has previously granted the application access to his or her account. When the user grants the application access privileges, he or she typically cannot imagine the risks involved in granting these access privileges. Access privileges are granted without the user exercising due care or without knowing the meaning of the access privileges granted.
FIG. 1 shows a prior art window 10 in which a user is being asked to grant access privileges to a third-party application. In this example, the user uses the Web site Twitter and desires to use a third-party application 110 in order to take advantage of additional services offered by that application. When the application connects to Twitter, the user is routed to the Twitter Web site asking the user if the application should be allowed to access the user's Twitter account. Shown is the source of the third-party application 110 and the logotype or name 120 associated with the Web site. Presented to the user is a list 130 of general actions that the application will be able to perform once the application has access privileges. Also shown is a list 140 of actions that the application will not be able to perform. The user may then choose a button 150 to authorize the application or button 160 to cancel the transaction. Unfortunately, many users do not pay attention to these actions or do not understand them, and may authorize an application without enough consideration.
Using this example, if a malicious application were to be granted access privileges the user's Twitter account, that application would be able to post messages on behalf of the user. These messages could be undesirable, false, provide a link to a malicious Web site, etc. The user would thus unknowingly take part in the spreading of false information, malicious sites and spam, and user's reputation would suffer on the Twitter service. Or, if an application were granted access to contact information and also network access, the user's information might be leaked over the Internet.
In addition, the application would be able to follow an undesirable Twitter account. The user may receive a message from an unknown user that might be false, unethical, spam, or contain a link to a malicious site. The user could inadvertently perpetuate fraud or fall victim to malware if the message is acted upon. Further, a malicious application would be able to edit the user's profile within Twitter. The user's photograph or profile may be changed to provide unflattering or incorrect information, thus causing the user's reputation to suffer.
In general, the problem with granting access privileges to third-party applications to a Web site and service that the user uses regularly is that it can be difficult for a user to understand precisely what privileges he or she is granting. And, because he or she is in a rush, the user may authorize access carelessly or simply by custom, or may not understand the explanation given, without reading the explanations. Therefore, a new system and techniques are desirable that would assist a user in granting access privileges to third-party applications only when the user understands the risks associated with granting access.