Out-Law News | 11 May 2011 | 3:12 pm | 3 min. read
Security research company Symantec, which has worked with Facebook, posted the news on its online blog.
"Third parties, in particular advertisers, have accidentally had access to Facebook users’ accounts including profiles, photographs, chat, and also had the ability to post messages and mine personal information," Symantec said in its blog.
"Fortunately, these third-parties may not have realized their ability to access this information. We have reported this issue to Facebook, who has taken corrective action to help eliminate this issue," Symantec said.
The researchers said that hundreds of thousands of Facebook applications had exposed users' details.
"We estimate that as of April 2011, close to 100,000 applications were enabling this leakage. We estimate that over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties," Symantec said.
Users can change their passwords to invalidate access to their accounts, Nishant Doshi and Candid Wueest, the two researchers credited with the discovery, said
"We fear a lot of these tokens might still be available in log files of third-party servers or still being actively used by advertisers. Concerned Facebook users can change their Facebook passwords to invalidate leaked access tokens. Changing the password invalidates these tokens and is equivalent to “changing the lock” on your Facebook profile," the researchers said.
The flaw exists in an old system that Facebook used to allow advertisers to access its service. Facebook gives advertisers "access tokens" in order to allow them to place adverts on a user's page, Symantec said.
"Access tokens are like ‘spare keys’ granted by you to the Facebook application. Applications can use these tokens or keys to perform certain actions on behalf of the user or to access the user’s profile. Each token or ‘spare key’ is associated with a select set of permissions, like reading your wall, accessing your friend’s profile, posting to your wall, etc," the researchers' blog said.
"By default, most access tokens expire after a short time, however the application can request offline access tokens which allow them to use these tokens until you change your password, even when you aren’t logged in.," the Symantec blog said.
The personal information is vulnerable when a Facebook application uses old systems to redirect users to pages it has updated using commonly used codes, Symantec said.
"The Facebook application is now in a position to inadvertently leak the access tokens to third parties potentially on purpose and unfortunately very commonly by accident. In particular, this URL, including the access token, is passed to third-party advertisers as part of the referrer field of the HTTP requests," the researchers said.
Facebook's privacy guide details how it shares information and tells users that it will "never share your personal information with our advertisers."
"Facebook's advert targeting is done entirely anonymously. If advertisers select demographic targeting for their adverts, Facebook automatically matches those adverts to the appropriate audience. Advertisers only receive anonymous data reports," Facebook's privacy guide says.
Facebook announced on Tuesday that it was going to stop using the old authentication system for access tools.
"We are announcing an update to our Developer Roadmap that outlines a plan requiring all sites and apps to migrate to [the new authentication system] by October 1. This will ensure that users browsing Facebook over [a secure web encryption connection] will have a great experience over a secure connection. We believe these changes create better and more secure experiences for users of your app," Facebook Developers said in an online blog.
"Having a single standard for authentication and apps served through [a secure web encryption connection] allows us to provide a simpler, more secure, and reliable Platform," Facebook said.
Earlier this year Facebook gave users the chance to use the site through secure web encryption, which conceals access information in a code. It said 9.6 million users now used the site using the secure connection and that it expected more of its 500 million users to follow.
Technology law news is also available from Bootlaw, a free resource for technology start-ups, with regular events hosted by Pinsent Masons.