Facebook "handed out spare keys" to users' data
By Stewart Mitchell
Posted on 11 May 2011 at 09:00
Security firm Symantec has accused Facebook of leaving end-user data open to third parties and advertisers in hundreds of thousands of applications.
The problem stems from “access tokens” that act like spare keys within Facebook applications, and the issue had gone undetected “over the years”, according to the security firm.
“Third parties, in particular advertisers, have accidentally had access to Facebook users’ accounts including profiles, photographs, chat, and also had the ability to post messages and mine personal information,” said Nishant Doshi on the official Symantec blog, although he admitted that he had no evidence that third parties had made use of the security flaw.
There is no good way to estimate how many access tokens have already been leaked since the release Facebook applications back in 2007
“Facebook iFrame applications inadvertently leaked access tokens to third parties like advertisers or analytic platforms. We estimate that over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties.”
Although Facebook said Symantec's report contained "inaccuracies", the social network said it had since closed the hole and didn't believe third parties had made use of the open invitation to raid application data.
“We have conducted a thorough investigation which revealed no evidence of this issue resulting in a user's private information being shared with unauthorised third parties," Facebook spokeswoman Malorie Lucich told Reuters in a statement.
However, according to Symantec, data scrapers and other personal information companies could still use the tokens that have already been leaked over the years.
“We fear a lot of these tokens might still be available in log files of third-party servers or still being actively used by advertisers,” Doshi said.
“Concerned Facebook users can change their Facebook passwords to invalidate leaked access tokens. There is no good way to estimate how many access tokens have already been leaked since the release Facebook applications back in 2007.”
Symentec said access tokens were “like spare keys granted by you to the Facebook application”. Applications can use these tokens or keys to perform certain actions on behalf of the user or to access the user’s profile, the company said.
From around the web
advertisement
- Laptop bag reviews: nine tested
- Sony VAIO T Series Ultrabook review: first look
- Revealed: the military standards and robots HP uses to test its laptops
- Windows 8: multi-monitors and double standards?
- Why is TalkTalk's year-old porn filter suddenly big news?
- Why are laptop screens so far behind mobiles?
- HP EliteBook Folio review: first look
- The shoebox-sized all-in-one printer
- Forget the Ultrabook: here comes the HP Sleekbook
- HP Spectre XT review: first look
- Why you have to be left in the dark on OS patches
- Publishing your email address isn't a security disaster
- Why antivirus is fighting a losing battle in your office
- Four year olds used to steal their parents' data
- An acceptable use policy for your kids
- Paying for your crimes with Bitcoin
- Pavement hacking: What it is and how to avoid it
- Google's risky pre-loaded pages
- Mac under attack: how secure is Apple's OS?
- Has your browser been hijacked?
advertisement
