ID: IRCNE2011051110
Date: 2011-05-12
“CNET” reports that Facebook has plugged a hole that was inadvertently providing advertisers and other third parties access to user accounts via tokens that serve as "spare keys". The problem was disclosed by Symantec on Tuesday.
"Facebook was notified of this issue and has confirmed this leakage," a senior software engineer at Symantec wrote in a blog post. "Facebook notified us of changes on their end to prevent these tokens from getting leaked."
"We estimate that as of April 2011 close to 100,000 applications were enabling this leakage," he wrote. "We estimate that over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties."
A Facebook spokesperson told that the company could not find any evidence that private user information was being shared with unauthorized third parties. He insisted that contractual obligations prohibit advertisers and developers from obtaining or sharing user information in a way that violates the site's policies.
These tokens allow applications to perform certain actions on behalf of the user or to access the user's profile. Most tokens expire after a short time, but the application can request offline access tokens, which allow them access until the user changes the password.
The leak was happening when an application used a legacy Facebook application programming interface with older authentication schemes, instead of the new OAuth 2.0 data sharing protocol, he said. If certain parameters were used in the coding, the tokens would be sent in a URL to the application host, and from there could be leaked to advertisers and analytic platforms via iFrame applications embedded in the page, he said.
"There is no good way to estimate how many access tokens have already been leaked since the release Facebook applications back in 2007," he wrote. "We fear a lot of these tokens might still be available in log files of third-party servers or still being actively used by advertisers."
Facebook users can change their passwords to invalidate any leaked access tokens.
