It is not confirmed whether these third parties (mostly advertisers) knew about the security hole, though Facebook has since told Symantec that the flaw has been fixed. Access granted via these keys could have even been used to mine users’ personal data, with evidence that the security flaw could date back to 2007 when Facebook applications were launched.
Symantec employee Nishant Doshi said in a blog post:
“We estimate that as of April 2011, close to 100,000 applications were enabling this leakage. We estimate that over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties.”
Not Quite Sony
Access tokens are granted when a user installs an application and grants the service access to his or her profile information. Usually access keys expire over time, though many applications request an offline access key which will not change until a user sets a new password.
Despite Facebook using solid OAUTH2.0 authentication methods, a number of older authentication schemes are still accepted and in turn used by thousands of applications. It is these applications, using outdated security methods which may have inadvertently leaked information to third parties.
“The application uses a client-side redirect for redirecting the user to the familiar application permission dialog box. This indirect leak could happen if the application uses a legacy Facebook API and has the following deprecated parameters, “return_session=1” and “session_version=3″, as part of their redirect code.”
Should these parameters have been used (pictured above), Facebook would return an HTTP request containing access tokens within the URL. As part of the referral scheme, this URL is in turn passed on to third party advertisers, complete with access token (pictured below).
Users who are concerned that their access keys have been well and truly leaked should change their passwords immediately to automatically reset the token.
There was no news of the breach on the official Facebook blog, though revised application authentication methods have since been posted on the developers blog, requiring all sites and applications to switch to OAUTH2.0.
Are you paranoid about Internet security? Have your say on the current state of Facebook and online security in general in the comments!
Image Credit: Symantec