100,000 Facebook Apps Have Accidentally Leaked Personal Data

Symantec, a security company, has found that third-party Facebook apps have accidentally had access to Facebook users' accounts for years. Specifically, they could see your profiles, photographs, chat and also have the ability to post messages and mine personal information.

Um, that's not good at all. Luckily though, it seems like the third-party apps weren't even aware they had access to all this information. But how the frak did this happen?

Symantec discovered that "Facebook IFRAME applications inadvertently leaked access tokens to third parties like advertisers or analytic platforms". Symantec termed access tokens as a sort of 'spare key' given to Facebook apps to let it do certain things (read your wall, access profile, etc). The problem was that Facebook leaked the access token "by sending a HTTP request containing the access tokens in the URL to the application host". These third party apps would unknowingly pass on the URL, which contained user access tokens, to advertisers. Which means people you don't want to find out things about you, could have easily found out things about you.

Facebook, when notified by Symantec, has fixed the problem and Douglas Purdy, director of developer relations said:

We appreciate Symantec raising this issue and we worked with them to address it immediately. Unfortunately, their resulting report has some inaccuracies. Specifically, we've conducted a thorough investigation which revealed no evidence of this issue resulting in a user's private information being shared with unauthorized third parties. In addition, this report ignores the contractual obligations of advertisers and developers which prohibit them from sharing user information in a way that violates our policies.

Seems like Facebook dodged a humungous sized bullet there. If you still feel unsafe, it's probably a good idea to change your password as that will kill off any of those remaining access tokens to your account. [Symantec via The Next Web]



    facebook are so full of shit.

    Let's be clear : apps are in effect your "friends" - they have much the same access to stuff you friends do, and if your "friends of friends" settings are loose, your friends expose you to apps via thier use of them. The app runs on its own server facebook don't control, and can stash what ever they want to. Sure the legals say they can not give them to third parties, but so what - at least some of those apps are written by people who are either dodgy or sloppy.

    Thier "investigation" is a crock - what they really checked all apps, and all versions of all historical apps for issues? bull. Facebook apps are evil, use with care.

    Apps always ask you to grant permission to those things. They've been asking permission for that kind of shit for years.

    If there's an app that asks for permission to access my personal data and post to my wall without consulting me, I just don't use it.

    i knew this would oneday happen

Join the discussion!