Symantec has discovered that in certain cases, Facebook IFRAME applications inadvertently leaked access tokens to third parties like advertisers or analytic platforms.
It is estimated that as of April 2011, close to 100,000 applications were enabling this leakage. Over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties.
There is no good way to estimate how many access tokens have already been leaked since the release Facebook applications back in 2007. We fear a lot of these tokens might still be available in log files of third-party servers or still being actively used by advertisers. Concerned Facebook users can change their Facebook passwords to invalidate leaked access tokens. Changing the password invalidates these tokens and is equivalent to “changing the lock” on your Facebook profile, reports Symantec.
The permissions-based app menu to which users must agree when installing an app, is the culprit.
There are over 500 million Facebook users, 50% of whom log on to Facebook on any given day. An average user has 130 friends. There are over 900 million objects that people interact with (pages, groups, events and community pages). People on Facebook install 20 million applications every day. So you can imagine the damage this may have caused!
Facebook spokeswoman Malorie Lucich released a statement saying that Symantec’s accusations disregarded the “contractual obligations of advertisers and developers,” which restricts them from acquiring or spreading this information in a way that infringe on Facebook policy. She also noted that Facebook has removed the outdated Application Programming Interface (API) that Symantec had mentioned. Facebook now uses OAUTH2.0 for authentication.
You may recollect that last year, a Harvard Business School professor Benjamin Edelman, had claimed that Facebook provided users’ information, including name and photos, to advertisers. According to his findings, clicking on an advertisers’ advertisement reveals the Facebook user’s name or user ID to the advertiser.
“With default privacy settings, the advertiser can then see almost all of a user’s activity on Facebook, including name, photos, friends, and more,” he had said.
There have been a lot of Facebook security breaches, and every time one has been detected, Facebook has gone on to patch it.
Facebook has just announced a series of new security measures. You can read more about it here.