[Lagged2Death]

Before any action is shared back from the site to Facebook, the user has agreed to authorize that site (application)...

That sounds great in theory.

I just looked at my Facebook "App Settings" page and found two applications/sites that I had supposedly authorized to interact with my Facebook profile. I don't know what they do, and I don't recall ever deliberately granting anyone or anything, especially the two sites in question, any permission to interact with Facebook on my behalf.

[nbm]

The App Settings page will tell you when last you used it, and when last they accessed information (once you click on "Edit").

If you are truly concerned about this happening behind your back (rather than making a comment about how easy it is to not recall adding something), you can contact me (neilblakeymilner at fb.com) and I will try connect you with someone who might be able to help you find out when you did it and whatever other information might be attached to that event (I don't really know what, if any, we keep on that event type).

[cousin_it]

I just went to my App Settings page and also found multiple apps that I know for certain I didn't authorize.

[nbm]

Feel free to contact me as well if you are sure that you didn't authorize them. I am not sure I can help, but I will try.

There are only a select few applications that get authorized automatically when you use them (Instant Personalization - https://www.facebook.com/instantpersonalization/), but they only get read access to some basic information that you share with "Public", and they have to follow pretty stringent guidelines in terms of how they store and use the data, and they have to show you how to opt out of the experience when you visit.

This probably is not the case with you, but sometimes people find out that some browser plugins (even ones that do useful things, not just "show who viewed your profile" types) that they are using do malicious things, or discover that their credentials were compromised due to phishing or because of a password dump when they report weird things like this (although the team I'm on do try our best to prevent both of these sorts of things).

[brown9-2]

Isn't it vastly more helpful for everyone involved and reading this to name those apps?

[kposehn]

To be fair, that doesn't mean it is their fault you allowed them to do so. It is indeed your responsibility to look at what you allow to access your profile and what you deny that access to.

[Lagged2Death]

When I say "I don't recall," I guess I'm using understatement in a bad place for it.

One of the sites in question was Bing. I don't use Bing.

There is no way in hell I authorized these apps. And this isn't a case where two apps from a long list seem suspicious; I've never authorized any apps, ever.

The Facebook guarantee that authorization is required has no technical enforcing measure; it's toothless bullshit.

We're trusting the greater Facebook ecosystem to uphold such policies and guarantees out of the goodness of its collective heart. Ha. Ha. We're also trusting Facebook itself to accurately list such relationships on their Apps page. I don't see why such trust is warranted, at this point.

[texel]

Wow, I just checked my apps, and sure enough, Bing was authorized. I, too, have never used Bing. That kind of scares the hell out of me.

[pyre]

At least in Bing's case, it may have been automatically added as part of some sort of partnership. Not that it's any less sleazy to add (and authorize) apps on your behalf without your knowledge.