Facebook Quietly Patches A Massive Security Hole, Millions Potentially Affected [News]

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.


Facebook Quietly Patches A Massive Security Hole, Millions Potentially Affected [News] facebook logo 300x300Facebook has confirmed claims made by Symantec over millions of leaked “access tokens”. These tokens enable an application to access personal information and make changes to profiles, essentially giving third parties the “spare key” to your profile information, photographs, wall and messages.

Unlock the free "Facebook Security Checklist" now!

This will sign you up to our newsletter

Enter your Email

It is not confirmed whether these third parties (mostly advertisers) knew about the security hole, though Facebook has since told Symantec that the flaw has been fixed. Access granted via these keys could have even been used to mine users’ personal data, with evidence that the security flaw could date back to 2007 when Facebook applications were launched.

Symantec employee Nishant Doshi said in a blog post:

We estimate that as of April 2011, close to 100,000 applications were enabling this leakage. We estimate that over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties.”

Not Quite Sony

Access tokens are granted when a user installs an application and grants the service access to his or her profile information. Usually access keys expire over time, though many applications request an offline access key which will not change until a user sets a new password.

Despite Facebook using solid OAUTH2.0 authentication methods, a number of older authentication schemes are still accepted and in turn used by thousands of applications. It is these applications, using outdated security methods which may have inadvertently leaked information to third parties.

Nishant explains:

“The application uses a client-side redirect for redirecting the user to the familiar application permission dialog box. This indirect leak could happen if the application uses a legacy Facebook API and has the following deprecated parameters, “return_session=1” and “session_version=3″, as part of their redirect code.”

Facebook Quietly Patches A Massive Security Hole, Millions Potentially Affected [News] sym fb1

Should these parameters have been used (pictured above), Facebook would return an HTTP request containing access tokens within the URL. As part of the referral scheme, this URL is in turn passed on to third party advertisers, complete with access token (pictured below).

Facebook Quietly Patches A Massive Security Hole, Millions Potentially Affected [News] sym fb2

Users who are concerned that their access keys have been well and truly leaked should change their passwords immediately to automatically reset the token.

There was no news of the breach on the official Facebook blog, though revised application authentication methods have since been posted on the developers blog, requiring all sites and applications to switch to OAUTH2.0.

Are you paranoid about Internet security? Have your say on the current state of Facebook and online security in general in the comments!

Image Credit: Symantec

Whatsapp Pinterest

Enjoyed this article? Stay informed by joining our newsletter!

Enter your Email

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Jack Cola
    May 12, 2011 at 2:21 pm

    So I wonder if this had anything to do with the Nicole Santos attack that saw people receive hundreds of notification and wall posts on their profile from people. Around 4pm + hours (Australia), Facebook just exploded with wall posts and notifications for people.

    I am paranoid about internet security, every month or so, I go through Facebook to clean up all my comments and wall posts I make about people, in case something like this happens --> and it will again. So for those interested, below are some resources I have wrote about how you can protect yourself:

    Should You Let Your Future Employer Look At Your Facebook Profile? - http://www.jackcola.org/blog/149-should-you-let-your-future-employer-look-at-your-facebook-profile

    How To Protect Yourself Online While Using Facebook, Gmail, And Other Websites - http://www.jackcola.org/blog/137-how-to-protect-yourself-online-while-using-facebook-gmail-and-other-websites

    How To Delete and Deactivate Your Facebook Account - http://www.jackcola.org/blog/104-how-to-delete-and-deactivate-your-facebook-account

    How To Delete And Start Your Facebook From Scratch - http://www.jackcola.org/blog/123-how-to-delete-and-start-your-facebook-from-scratch

    How I Protect My Personal and Online Identity - http://www.jackcola.org/blog/122-how-i-protect-my-personal-and-online-identity

    How To Permanently Block A Stalker On Facebook - http://www.jackcola.org/blog/105-how-to-permanently-block-a-stalker-on-facebook

    Did You Know People Are Now Deleting Their Facebook Accounts - http://www.jackcola.org/blog/79-did-you-know-people-are-now-deleting-their-facebook-accounts

    Download Your Friends Facebook Email Addresses In 2 Minutes - http://www.jackcola.org/blog/73-download-your-friends-facebook-email-addresses-in-2-minutes

    Facebook New Privacy Options Suck! – Your Privacy Is Now Gone http://www.jackcola.org/blog/46-facebook-new-privacy-options-suck-your-privacy-is-now-gone

    I hope you find these useful

  2. Audioedge
    May 11, 2011 at 5:59 pm

    https://diasp.org - both your prayers are answered

  3. Denis St-Michel
    May 11, 2011 at 3:42 pm

    More than ever, it is time to rebuild a new laternative to facebook, for those like me who just don't care about third-party application but enjoy sharing things and living in social networks. Just out of curiosity, how many people would love to have an application-free facebook alternative?

    • Tim Brookes
      May 11, 2011 at 3:47 pm

      Me! I basically have zero applications on my account for this very reason. The only reason I ever signed up for Facebook was to keep in touch and share a few photos. Now all I see are stupid daily horoscopes and other nonsense :(

      • Denis St-Michel
        May 11, 2011 at 3:55 pm

        Same for me @tbrookes:disqus I say we gather a bunch of people and we build the new facebook! Would be a great experience!

      • Audioedge
        May 11, 2011 at 3:59 pm

        https://diasp.org - both your prayers are answered