Security company Symantec has posted anotificationon their blog that reveals a flaw in the Facebook web application API that has allowed apps nearly complete access to user’s accounts. This includes profiles, photos, chat and the ability to mine customer information.Updates below.
Fortunately, says Symantec, these third-party apps may not have realized that they even had the ability in the first place. Facebook has been informed that the issue exists and they have taken ‘corrective action’ to eliminate the vulnerability.
Faceboook IFRAME applications, which are embedded web apps, had inadvertently been leaking access tokens to advertisers and analytics platforms. Symantec estimates that close to 100k apps were leaking info.
We estimate that as of April 2011, close to 100,000 applications were enabling this leakage. We estimate that over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties.
Calling all Scaleup founders! Join the Soonicorn Summit on November 28 in Amsterdam.
Meet with the leaders of Picnic, Miro, Carbon Equity and more during this exclusive event dedicated to Scaleup Founders!
At this point the leaking of access tokens, which act as keys to user information, to third parties has apparently been corrected by Facebook, but the vulnerability has existed for months. While Symantec does not believe that any of the developers of these applications where aware of their ability to access user data, it is not completely clear if they were or not.
There is no good way to estimate how many access tokens have already been leaked since the release Facebook applications back in 2007. We fear a lot of these tokens might still be available in log files of third-party servers or still being actively used by advertisers.
They recommend that all users of Facebook who are concerned with the issue to change their password immediately. Changing their password will invalidate these tokens and remove a third-party apps ability to access their profile.
We also recommend changing your password on your Facebook account as a security precaution. The fact of the matter is that this vulnerability has now been fixed, but those access tokens that were issued may still be in the databases of third party vendors. If you do not change your password they still have access to that information.
Now that the vulnerability has been made public, some of these may attempt to take advantage of the extensive access to mine user data or much more. A full explanation of the vulnerability can be found atSymantec’s site.
Update. Facebook has posted anarticleon its developer blog, acknowledging that it is working with Symantec to improve security. They also state that they are now requiring that all applications use the newer OAuth 2.0 process for obtaining access keys.
Today, we are announcing an update to ourDeveloper Roadmapthat outlines a plan requiring all sites and apps to migrate to OAuth 2.0, process the signed_request parameter, and obtain an SSL certificate by October 1.
The new authorization process will remove the older form of authentication that allowed for applications to obtain the authorization keys.
Update 2.Douglas Purdy, Facebook’s Director of Developer Relations, has left this response in the comments below. We are including it in the body of the post to ensure that it is noted by readers of this article.
We appreciateSymantecraising this issue and we worked with them to address it immediately. Unfortunately, their resulting report has some inaccuracies. Specifically, we’ve conducted a thorough investigation which revealed no evidence of this issue resulting in a user’s private information being shared with unauthorized third parties. In addition, this report ignores the contractual obligations of advertisers and developers which prohibit them from sharing user information in a way that violates our policies. Lastly, as you mentioned, the change we announced today on our developer blog removes the outdated API referred to inSymantec’sreport.
As Purdy notes, developers of apps and advertisers working with Facebook are under contractual obligation to prohibits them from using user information in ways that violate Facebook’s policies. This would preclude them from utilizing any information obtained by improper authorization on part of Facebook’s API’s. It does not change the fact that the information was improperly accessible, a matter which Facebook promptly addressed as soon as it was brought to their attention.
Story byMatthew Panzarino
Matthew Panzarino was Managing Editor at TNW. He’s no longer with the company, but you can follow him on Twitter.(show all)Matthew Panzarino was Managing Editor at TNW. He’s no longer with the company, but you can follow him onTwitter.
Get the TNW newsletter
Get the most important tech news in your inbox each week.
