Facebook Apps Have Been Leaking Private Data To Advertisers For Years

11 May 2011

Surprise! Security firm Symantec reported yesterday that a hole in the Facebook security system allowed third-parties like advertisers access to user accounts and private data – and that this hole has been in place for the past four years, since Facebook first started offering apps to its users.
The information available, according Symantec employee Nishant Doshi, included “profiles, photographs, chat, and the ability to post messages and mine personal information.” Doshi is credited with finding the security hole.
From the Symantec post:

Symantec has discovered that in certain cases, Facebook IFRAME applications inadvertently leaked access tokens to third parties like advertisers or analytic platforms. We estimate that as of April 2011, close to 100,000 applications were enabling this leakage. We estimate that over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties.
Access tokens are like ‘spare keys’ granted by you to the Facebook application. Applications can use these tokens or keys to perform certain actions on behalf of the user or to access the user’s profile. Each token or ‘spare key’ is associated with a select set of permissions, like reading your wall, accessing your friend’s profile, posting to your wall, etc.’

Facebook, for its part, reported yesterday that the problem had been fixed and that there wasn’t any evidence of private data being leaked – except for, you know, the gaping security hole of four years.
[Source: Symantec]