100,000 Apps Enable Leakage of Facebook Profile Info, According to Symantec
Security firm Symantec released a report indicating that there are about 100,000 Facebook apps that accidentally enable the leakage of Facebook user info to third-parties like advertisers and analytics platforms. The firm has confirmed the issue with Facebook, which it says has “taken corrective action to help eliminate the issue.”
“Symantec has discovered that in certain cases, Facebook IFRAME applications inadvertently leaked access tokens to third parties like advertisers or analytic platforms,” says Symantec’s Nishant Doshi. “We estimate that as of April 2011, close to 100,000 applications were enabling this leakage. We estimate that over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties.”
“Access tokens are like ‘spare keys’ granted by you to the Facebook application,” Doshi explains. “Applications can use these tokens or keys to perform certain actions on behalf of the user or to access the user’s profile. Each token or ‘spare key’ is associated with a select set of permissions, like reading your wall, accessing your friend’s profile, posting to your wall, etc.”
According to the security firm, while Facebook currently uses OAuth 2.0 for authentication by default, older schemes that are still supported and used by “hundreds of thousands” of apps are where the problem begins.
“There is no good way to estimate how many access tokens have already been leaked since the release Facebook applications back in 2007,” says Doshi. “We fear a lot of these tokens might still be available in log files of third-party servers or still being actively used by advertisers. Concerned Facebook users can change their Facebook passwords to invalidate leaked access tokens. Changing the password invalidates these tokens and is equivalent to “changing the lock” on your Facebook profile.”
Yesterday, Facebook issued an update to its Developer Roadmap, outlining plans requiring all sites and apps to migrate to OAuth 2.0. All apps must migrate to the format by September 1.
Facebook and privacy concerns are certainly not strangers. Time and time again, something happens that brings concerns back into the spotlight. Last month, Facebook announced a new suite of safety tools and advanced security features.