Facebook accidentally leaks 100,000 users’ details

11 May 2011

Facebook has accidentally leaked access to potentially hundreds of thousands of users’ accounts because some applications were sharing access tokens – spare keys to your account – with advertisers.

Symantec researcher Nishant Doshi revealed that third parties, in particular, advertisers, have accidentally had access to Facebook users’ accounts, including profiles, photographs and chat, and also had the ability to post messages and mine personal information.

“Fortunately, these third parties may not have realised their ability to access this information. We have reported this issue to Facebook, who has taken corrective action to help eliminate this issue.”

Doshi explained Facebook applications are web applications that are integrated onto the Facebook platform. According to Facebook, 20m Facebook applications are installed every day.

“Symantec has discovered that in certain cases, Facebook IFRAME applications inadvertently leaked access tokens to third parties, like advertisers or analytic platforms. We estimate that as of April 2011, close to 100,000 applications were enabling this leakage. We estimate that over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties,” Doshi said.

In his blog, he explained that access tokens are like ‘spare keys’ granted by you to the Facebook application. Applications can use these tokens or keys to perform certain actions on behalf of the user or to access the user’s profile. Each token or ‘spare key’ is associated with a select set of permissions, like reading your wall, accessing your friend’s profile, posting to your wall, etc.

Facebook says it is moving to a more secure authentication flow

Facebook engineer Naitik Shah has responded in a blog post, explaining that the company is working to migrate users to more secure standards and that it is now working with Symantec to identify issues in its authentication flow.

“We continue to make Platform more secure for users. Earlier this year, we introduced the ability for users to browse Facebook over HTTPS.

“As a result, we provided ‘Secure Canvas URL’ and ‘Secure Tab URL’ fields in the Developer App for developers to serve their apps through an HTTPS connection. Today, 9.6m people are browsing Facebook over HTTPS and the trend is continuing to increase.

“As part of these efforts to make our Platform more secure, we have been working to transition apps from the old Facebook authentication system and HTTP to OAuth 2.0 (an open standard co-authored with Yahoo, Twitter, Google and others) and HTTPS.

“Because of the number of apps using our legacy auth system, we need to be thoughtful about this transition. Over the past few weeks, we determined that OAuth is now a mature standard with broad participation across the industry.

“In addition, we have been working with Symantec to identify issues in our authentication flow to ensure that they are more secure. This has led us to conclude that migrating to OAuth & HTTPs now is in the best interest of our users and developers.

“Today, we are announcing an update to our Developer Roadmap that outlines a plan requiring all sites and apps to migrate to OAuth 2.0, process the signed_request parameter, and obtain an SSL certificate by October 1,” Shah said.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years