MSFN Forum: Facebook Leaks Access Tokens, Exposes Private User Data to Advertisers

Symantec researchers have uncovered a serious flaw in how Facebook applications are handling authentication that gives third-parties access to user profile data. Facebook may have unintentionally leaked users’ personal information to third parties, a security firm discovered. The leak may be one of the most significant privacy missteps by the social networking giant.

Certain Facebook applications are leaking “access tokens” to third parties such as advertisers, giving them access to personal profile data such as chat logs and photographs, Symantec’s Nishant Dosti wrote on the Symantec Security Response blog on May 10. Most access tokens expire in two hours, but some tokens work offline and remain valid until the user changes the password, Doshi said.

Users are encouraged to change their passwords immediately, according to Symantec. Changing the password invalidates these tokens and is equivalent to “changing the lock,” on the Facebook profile, Doshi wrote on the Symantec blog.

Access tokens act like “spare keys” to the user’s account, giving recipients the ability to access user profiles and perform certain actions, such as reading and posting Wall posts and accessing friend pages. Offline tokens work even when the user is not logged into Facebook and give applications and anyone else holding them access to the profile data at all times.

“We estimate that as of April 2011, close to 100,000 applications were enabling this leak,” Doshi wrote. The Symantec team estimated that since 2007, when Facebook launched apps, “hundreds of thousands of applications” could have leaked “millions” of these tokens.

More @ eWeek