PREVIOUS ARTICLENEXT ARTICLE
NEWS
Facebook apps leak personal information
By Johan Keyter 12 May 2011 | Categories: newsSocial networking site Facebook isn't exactly the most trustworthy company when it comes to user privacy, and even though the website's PR team may state differently, it seems violations of personal information is still cropping up left and right.
The most recent comes courtesy of security specialists Symantec, owners of the Norton brand of anti-virus software. In a company blog post, Symantec stated that third parties (such as advertisers and social game developers) have had access to Facebook user data including profiles, photo's, chat content as well as having the ability to mine personal information from accounts.
According to Symantec, third parties have, “accidentally had access to Facebook users' accounts,” with the companies possibly not realising they had the ability to access the information.
Symantec discovered this week that certain Facebook IFRAME applications leaked access tokens to third party companies, with an estimated 100 000 applications enabling the data leak. According to Facebook, 20 million Facebook applications are installed on a daily basis.
“We estimate that over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties,” the Symantec blog stated.
Access tokens function like spare keys if you will, and it's this which users give out when they acknowledge that a certain application can access their information. These tokens enable certain actions to be performed on behalf of the user, such as reading information on your wall, accessing your friends' profiles and even posting (spamming) on your wall.
By default most of these access tokens expire after a short time, but Symantec discovered that applications can request offline access tokens, allowing them to use these to access your account until you change your Facebook password. Your information can also be accessed even when you're not online.
When users are redirected to the familiar application permission page, it was found that applications using a legacy Facebook API with certain parameters would send an HTTP request containing the access tokens in the URL to the application host.
In other words, the access tokens were leaked in referring URLs that could have been passed on to advertisers and other companies, in turn allowing them access to your account.
Facebook initially opened its doors to third-party developers back in 2007, and even though these applications have played a major role in the website's continued success, they have also marked some of the company's most telling security flaws.
Symantec stated that it's not clear whether anyone else was aware of the leak before them, but Facebook has been notified of the problem and confirmed the vulnerability existed, saying that changes are being implemented on their end to stop the tokens from getting leaked.
Symantec however stated concern that some of these tokens may still be in circulation, being stored in server log files and other obscure corners of the web. The issue doesn’t affect Facebook applications using the newer OAUTH 2.0 authentication system though.
The company urged concerned users to immediately change their Facebook passwords.
According to Symantec, third parties have, “accidentally had access to Facebook users' accounts,” with the companies possibly not realising they had the ability to access the information.
Symantec discovered this week that certain Facebook IFRAME applications leaked access tokens to third party companies, with an estimated 100 000 applications enabling the data leak. According to Facebook, 20 million Facebook applications are installed on a daily basis.
“We estimate that over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties,” the Symantec blog stated.
Access tokens function like spare keys if you will, and it's this which users give out when they acknowledge that a certain application can access their information. These tokens enable certain actions to be performed on behalf of the user, such as reading information on your wall, accessing your friends' profiles and even posting (spamming) on your wall.
By default most of these access tokens expire after a short time, but Symantec discovered that applications can request offline access tokens, allowing them to use these to access your account until you change your Facebook password. Your information can also be accessed even when you're not online.
When users are redirected to the familiar application permission page, it was found that applications using a legacy Facebook API with certain parameters would send an HTTP request containing the access tokens in the URL to the application host.
In other words, the access tokens were leaked in referring URLs that could have been passed on to advertisers and other companies, in turn allowing them access to your account.
Facebook initially opened its doors to third-party developers back in 2007, and even though these applications have played a major role in the website's continued success, they have also marked some of the company's most telling security flaws.
Symantec stated that it's not clear whether anyone else was aware of the leak before them, but Facebook has been notified of the problem and confirmed the vulnerability existed, saying that changes are being implemented on their end to stop the tokens from getting leaked.
Symantec however stated concern that some of these tokens may still be in circulation, being stored in server log files and other obscure corners of the web. The issue doesn’t affect Facebook applications using the newer OAUTH 2.0 authentication system though.
The company urged concerned users to immediately change their Facebook passwords.
USER COMMENTS
Most Read Articles
Read
Magazine Online
TechSmart.co.za is South Africa's leading magazine for tech product reviews, tech news, videos, tech specs and gadgets.
Start reading now >
Download latest issue
Have Your Say
What new tech or developments are you most anticipating this year?
New smartphone announcements (44 votes)
Technological breakthroughs (28 votes)
Launch of new consoles, or notebooks (14 votes)
Innovative Artificial Intelligence solutions (28 votes)
Biotechnology or medical advancements (22 votes)
Better business applications (132 votes)