Facebook has confirmed claims made by Symantec over millions of leaked “access tokens”. These tokens enable an application to access personal information and make changes to profiles, essentially giving third parties the “spare key” to your profile information, photographs, wall and messages.
It is not confirmed whether these third parties (mostly advertisers) knew about the security hole, though Facebook has since told Symantec that the flaw has been fixed. Access granted via these keys could have even been used to mine users’ personal data, with evidence that the security flaw could date back to 2007 when Facebook applications were launched.
Symantec employee Nishant Doshi said in a blog post:
“We estimate that as of April 2011, close to 100,000 applications were enabling this leakage. We estimate that over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties.”
Not Quite Sony
Access tokens are granted when a user installs an application and grants the service access to his or her profile information. Usually access keys expire over time, though many applications request an offline access key which will not change until a user sets a new password.
Despite Facebook using solid OAUTH2.0 authentication methods, a number of older authentication schemes are still accepted and in turn used by thousands of applications. It is these applications, using outdated security methods which may have inadvertently leaked information to third parties.
Nishant explains:
“The application uses a client-side redirect for redirecting the user to the familiar application permission dialog box. This indirect leak could happen if the application uses a legacy Facebook API and has the following deprecated parameters, “return_session=1″ and “session_version=3″, as part of their redirect code.”
Should these parameters have been used (pictured above), Facebook would return an HTTP request containing access tokens within the URL. As part of the referral scheme, this URL is in turn passed on to third party advertisers, complete with access token (pictured below).
Users who are concerned that their access keys have been well and truly leaked should change their passwords immediately to automatically reset the token.
There was no news of the breach on the official Facebook blog, though revised application authentication methods have since been posted on the developers blog, requiring all sites and applications to switch to OAUTH2.0.
Are you paranoid about Internet security? Have your say on the current state of Facebook and online security in general in the comments!
Image Credit: Symantec
Did you find this useful? Share it with others
Hide 7 Comments
More than ever, it is time to rebuild a new laternative to facebook, for those like me who just don’t care about third-party application but enjoy sharing things and living in social networks. Just out of curiosity, how many people would love to have an application-free facebook alternative?
Me! I basically have zero applications on my account for this very reason. The only reason I ever signed up for Facebook was to keep in touch and share a few photos. Now all I see are stupid daily horoscopes and other nonsense
Same for me @tbrookes:disqus I say we gather a bunch of people and we build the new facebook! Would be a great experience!
https://diasp.org – both your prayers are answered
https://diasp.org – both your prayers are answered
So I wonder if this had anything to do with the Nicole Santos attack that saw people receive hundreds of notification and wall posts on their profile from people. Around 4pm + hours (Australia), Facebook just exploded with wall posts and notifications for people.
I am paranoid about internet security, every month or so, I go through Facebook to clean up all my comments and wall posts I make about people, in case something like this happens –> and it will again. So for those interested, below are some resources I have wrote about how you can protect yourself:
Should You Let Your Future Employer Look At Your Facebook Profile? – http://www.jackcola.org/blog/149-should-you-let-your-future-employer-look-at-your-facebook-profile
How To Protect Yourself Online While Using Facebook, Gmail, And Other Websites – http://www.jackcola.org/blog/137-how-to-protect-yourself-online-while-using-facebook-gmail-and-other-websites
How To Delete and Deactivate Your Facebook Account – http://www.jackcola.org/blog/104-how-to-delete-and-deactivate-your-facebook-account
How To Delete And Start Your Facebook From Scratch – http://www.jackcola.org/blog/123-how-to-delete-and-start-your-facebook-from-scratch
How I Protect My Personal and Online Identity – http://www.jackcola.org/blog/122-how-i-protect-my-personal-and-online-identity
How To Permanently Block A Stalker On Facebook – http://www.jackcola.org/blog/105-how-to-permanently-block-a-stalker-on-facebook
Did You Know People Are Now Deleting Their Facebook Accounts – http://www.jackcola.org/blog/79-did-you-know-people-are-now-deleting-their-facebook-accounts
Download Your Friends Facebook Email Addresses In 2 Minutes – http://www.jackcola.org/blog/73-download-your-friends-facebook-email-addresses-in-2-minutes
Facebook New Privacy Options Suck! – Your Privacy Is Now Gone http://www.jackcola.org/blog/46-facebook-new-privacy-options-suck-your-privacy-is-now-gone
I hope you find these useful