Facebook has unwittingly let third parties gains access to users’ accounts – although many of the third parties may not have realised they had the ability to access this information.
Employees at Symantec have discovered a flaw in the social networking site that could let advertisers access Facebook users’ accounts including profiles, photographs and chat, while giving them the ability to post messages and mine personal information.
“Fortunately, these third-parties may not have realised their ability to access this information,” says Nishant Doshi, one of the Symantec employees who uncovered the vulnerability. “We have reported this issue to Facebook, who has taken corrective action to help eliminate this issue.”
Doshi explains that Facebook applications are Web applications that are integrated on to the Facebook platform. According to Facebook, 20-million Facebook applications are installed every day.
“Symantec has discovered that in certain cases, Facebook IFrame applications inadvertently leaked access tokens to third parties like advertisers or analytic platforms. We estimate that as of April 2011, close to 100 000 applications were enabling this leakage. We estimate that, over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties.”
These access tokens are like “spare keys” granted by users to the Facebook application. Applications can use these tokens or keys to perform certain actions on behalf of the user or to access the user’s profile. Each token is associated with a select set of permissions, like reading a wall, accessing a friend’s profile, posting to a wall, etc.
Under certain conditions, the Facebook application could inadvertently leak the access tokens to third parties “potentially on purpose and unfortunately very commonly by accident”, says Doshi.
“Needless to say, the repercussions of this access token leakage are seen far and wide. Facebook was notified of this issue and has confirmed this leakage. Facebook notified us of changes on their end to prevent these tokens from getting leaked,” he adds.
Doshi says there is no accurate way of estimating how many access tokens have been leaked since the release Facebook applications back in 2007.
“We fear a lot of these tokens might still be available in log files of third-party servers or still being actively used by advertisers,” he says. “Concerned Facebook users can change their Facebook passwords to invalidate leaked access tokens”