Symantec, a security company, has found that third-party Facebook apps have accidentally had access to Facebook users’ accounts for years. Specifically, they could see your profiles, photographs, chat and also have the ability to post messages and mine personal information.
Um, that’s not good at all. Luckily though, it seems like the third-party apps weren’t even aware they had access to all this information. But how the frak did this happen?
Symantec discovered that “Facebook IFRAME applications inadvertently leaked access tokens to third parties like advertisers or analytic platforms”. Symantec termed access tokens as a sort of ‘spare key’ given to Facebook apps to let it do certain things (read your wall, access profile, etc). The problem was that Facebook leaked the access token “by sending a HTTP request containing the access tokens in the URL to the application host”. These third party apps would unknowingly pass on the URL, which contained user access tokens, to advertisers. Which means people you don’t want to find out things about you, could have easily found out things about you.
Facebook, when notified by Symantec, has fixed the problem and Douglas Purdy, director of developer relations said:
We appreciate Symantec raising this issue and we worked with them to address it immediately. Unfortunately, their resulting report has some inaccuracies. Specifically, we’ve conducted a thorough investigation which revealed no evidence of this issue resulting in a user’s private information being shared with unauthorized third parties. In addition, this report ignores the contractual obligations of advertisers and developers which prohibit them from sharing user information in a way that violates our policies.
Seems like Facebook dodged a humungous sized bullet there. If you still feel unsafe, it’s probably a good idea to change your password as that will kill off any of those remaining access tokens to your account. [Symantec via The Next Web]