IT security firm Symantec claims to have discovered that some applications - which have been available for installation on Facebook since 2007 - were accidentally being handed what they described as a set of “spare keys” to users’ profiles, which allowed them to access the data as well as the “ability to post messages and mine personal information”.
Applications are given access tokens by users when they are installed, allowing them to access selected parts of the users' accounts. These tokens normally expire after a period of time but some applications can apply for offline tokens, which continue to grant access until the user’s password is changed.
Symantec claim that the information is leaked when apps redirect users to sites which have previously been personalised using information automatically but consensually handed over during the user’s visit to the site, such as country, locale and age bracket. If a rogue command is present in the electronic ‘negotiation’ of access privileges between Facebook and the app - called an API - users’ data become vulnerable to leaks.
Much of the site’s revenue comes from so-called targeted advertising, which is tailored to the individual user based on their actions online, and Symantec said that it found the leak has seen some personal information handed to advertisers.
Facebook claims that around 20 million applications or “apps” are installed by its users every day and, while it is impossible to provide an accurate figure, Symantec estimated that, as of last month, 100,000 apps were enabling this type of leak.
Facebook was notified of the alleged problem after it was identified by two Symantec employees Nishant Doshi and Candid Wueest. Symantec insists it has been assured by the social networking site said that steps have been taken to prevent it happening any longer.
Symantec advised Facebook to change their passwords, saying that it should help to protect them from being caught by the leak.Reuse content