Facebook apps have been leaking access to millions of Facebook users’ accounts, including profiles, photographs, chat and other personal information because of an old bug that overrides individual privacy settings and this affected hundreds of thousands of apps before it was discovered by researchers from security company Symantec.The bug exposed user access tokens to third parties, like advertisers and analytic platforms, the tokens serve as a spare set of keys that Facebook apps use to perform certain actions on behalf of the user or to access the user’s profile and also each oken is associated with a select set of permissions, like reading your wall, accessing your friend’s profile and posting to your wall………..
Symantec discovered that third-party Facebook applications had access to users accounts and profiles for years and could see your profile, photographs, chat messages and collect your personal information even if you had set it to private.This could constitute as the most widespread leak the site has suffered to date.Facebook has since confirmed the issue existed and plugged the leak, so this can no longer be exploited. But with 20 million applications installed by users per day, this represents a huge potential leak of personal information.Symantec explain how access tokens, or spare keys that are granted to you by Facebook, can be used to authorise certain actions on behalf of the user. These are set up by the application installed, through the permission request box. Though these keys will expire after a short time, some of these tokens allow applications to access your data while you are not using the site.
It is suggested could have Facebook passed on these access tokens in the URL to the application developers, which could then be passed on unknowingly to advertisers and other third parties.Facebook denies these claims, stating that there are inaccuracies and that a thorough investigation showed no evidence that information was being sent to third parties.This is not the first time Facebook has suffered a breach. Not only has it had to contend with its own internal code reaching the public site, which led to a full site shutdown late last year, but has also been targeted by malicious code writers and suffered serious worm attacks through rogue applications.The bug exposed user access tokens to third parties, like advertisers and analytic platforms. The tokens serve as a spare set of keys that Facebook apps use to perform certain actions on behalf of the user or to access the user’s profile. Each token is associated with a select set of permissions, like reading your wall, accessing your friend’s profile, posting to your wall and so on.
For years, certain Facebook IFRAME apps that rely on an older form of user authentication turned over these keys to third parties, giving them the ability to access information that users may have secured in their privacy settings. Symantec has confirmed that Facebook has fixed the underlying bug, but tokens already exposed may still be widely accessible. The only comfort the company offered was that the third parties who were accidentally granted access to the data may not have realized their ability to access this information.While many access tokens expire shortly after they’re issued, Facebook also supplies offline access tokens that remain valid indefinitely. Thankfully, Facebook users can close this potential security hole by changing their passwords, which immediately revokes all previously issued keys. If you use Facebook apps, go change your password on the social network as soon as possible.Facebook sees 20 million pass installed every day. There’s no way to know precisely how many apps or Facebook users were affected by this flaw, but Symantec estimates that as of April 2011, almost 100,000 apps were making the leak possible. That’s just for last month though: over the years, hundreds of thousands of apps may have inadvertently leaked millions of access tokens to third parties, according to the security giant.
When a user opens up an app to install on the social network, Facebook first sends the app a limited amount of non-identifiable information about the user (their country, locale, and age bracket) so that the app can personalize the page. Then the app sends the user to a permission dialog page using a client-side redirect. If the app uses a legacy Facebook API as well as the deprecated parameters “return_session=1″ and “session_version=3″, Facebook subsequently returns the access token by sending an HTTP request containing the access tokens in the URL to the app host. The Facebook app can then inadvertently leak the access tokens to third parties. Worse yet, the URL that includes the access token is actually passed to third party advertisers as part of the referrer field of the HTTP requests.It’s no small coincidence that Facebook announced that it will be permanently retiring its old authentication routine. The company is still working to transition apps from the old Facebook authentication system and HTTP to OAuth 2.0 and HTTPS.
Facebook is requiring all sites and apps to migrate to OAuth 2.0, process the signed_request parameter, and obtain an SSL certificate in the next five months. The company says that the sheer number of Facebook apps prevents the company from forcing developers to make the switch immediately. Here’s the timeline the company has announced:
- July 1: Updates to the PHP and JS SDKs available that use OAuth 2.0 and have new cookie format (without access token).
- September 1: All apps must migrate to OAuth 2.0 and expect an encrypted access token.
- October 1: All Canvas apps must process signed_request (fb_sig will be removed) and obtain an SSL certificate (unless you are in Sandbox mode). This will ensure that users browsing Facebook over HTTPS will have a great experience over a secure connection.