Helping people with computers... one answer at a time.

The javascript used in Facebook games has a potential to be a risk, but there is a much more likely scenario to be on the watch for!

Can your email be hacked through the games on Facebook?

In this excerpt from Answercast #43, I look at possible dangers from the javascript used in Facebook games.

Facebook games

In theory? I suppose so. In practice? No.

So, the issue here is that Facebook games make heavy use of Javascript. Javascript is a programming language that runs small programs in your web browser.

  • Those programs often have access to certain pieces of information that may or may not expose vulnerabilities;

  • If unpatched that could allow the program to do things that it's not supposed to.

Potentially, I suppose, it could (on an unpatched machine) reach out and grab things that it's not supposed to: like say, your email address or your password. In reality, that's just not happening.

I don't know of any single case where a Facebook game has actually been able to do anything like that.

Hackers have easier ways

And in reality, you know what? The people who want to do that don't have to resort to those kinds of lengths. Because let's face it – in many cases (especially in situations like this), we are our own worst enemies!

  • All a game has to do is say, "Hey, I need you to login with your email account and password in order to play this game."

  • Well, of course you don't. That's the game phishing you.

It's trying to get you to hand over the information – rather than going through some technical means to try and hack your computer and find out the information.

And yes, you would be shocked at the number of people who would willingly hand over their email address and their password in order to play whatever game it is they've been promised!

Legitimate Facebook games

So, legitimate games, absolutely not. It just isn't going to be a problem with those. They're not going to do anything underhanded or try and hack your account.

Beyond that, it just pays to play it safe. Only do games that you know are legitimate and come from reputable sources.

  • Don't fall for phishing attempts that ask you to divulge information that isn't absolutely necessary to play the game.

  • If somebody is asking you for your password – absolutely think twice, think three times.

  • In fact, think so long that you forget you want to play the game.

  • It's just not worth it.

But no, ultimately from a technological perspective, I really don't see this as a big risk. The real risk here (I think) is along the lines of social engineering.

Article C5691 - August 13, 2012 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

Jim Green
August 14, 2012 6:25 AM

Most games in Facebook don't need to "hack" your address give it permission to see who your friends and contacts are when you agree to play. That's why you and all of your friends get those annoying "whats-his-name" played this game messages. Which is why I don't play FB games as a general rule.

Pete Hepple
August 17, 2012 1:26 PM

Don't know about games on Facebook but recently many of my friends & family ( and me!) received eMails from the Philippines requesting money to get out of jail! The only place the eMail addresses were accessible was Facebook. I only went on for a week or so to see what all the fuss was about. I then got out - smartish!

Mark J
August 17, 2012 1:50 PM

Some FB apps ask for permission to access your email address book or Facebook friends. These, when misuse, could be social engineering hacks or phishing for email addresses. If you don't give an app that permission, they won't have access to your friends or contacts.

November 11, 2012 11:14 AM

Yikes! Could I be one of those people "who would willingly hand over their email address and their password?" I didn't think so, but now I'm worried. I play one particular game on Facebook through Zynga, so I'm hoping, at least, that this is considered a "reputable source" and I have nothing to worry about. Still, I don't want to be one of "those people" :)...

When I'm already logged in to Facebook, and I click on the game application, I don't have to log in to play the game, BUT I usually click on the application first and am prompted: "Log in to use your Facebook account with Texas HoldEm Poker." I was suspicious at first, but I felt safer when I saw the "" at the top. Does that make any difference?

So even though this particular game may not be stealing my password, IS IT A BAD IDEA TO LOG IN TO GAMES AND APs THIS WAY--EVEN WHEN I SEE THE HTTPS?


Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to to ask your question.