Symantec researchers have uncovered a serious flaw in how Facebook applications are handling authentication that gives third-parties access to user-profile data.
Facebook may have
unintentionally leaked users' personal information to third parties, a security
firm discovered. The leak may be one of the most significant
by the social-networking giant.
applications are leaking "access tokens" to third parties, such as advertisers,
giving them access to personal-profile data such as chat logs and photographs,
Symantec's Nishant Dosti wrote on the Symantec
Security Response blog
on May 10. Most access tokens expire in two hours,
but some tokens work offline and remain valid until the user changes the
password, Doshi said.
Users are encouraged to
change their passwords immediately, according to Symantec. Changing the
password invalidates these tokens and is equivalent to "changing the lock," on
the Facebook profile, Doshi wrote on the Symantec blog.
Access tokens act like
"spare keys" to the user's account, giving recipients the ability to access
user profiles and perform certain actions, such as reading and posting Wall
posts and accessing friend pages. Offline tokens work even when the user is not
logged into Facebook and give applications and anyone else holding them access
to the profile data at all times.
"We estimate that as of
April 2011, close to 100,000 applications were enabling this leak," Doshi
wrote. The Symantec team estimated that since 2007, when Facebook launched applications,
"hundreds of thousands of applications" could have leaked "millions" of these
Facebook IFRAME applications
were leaking the tokens to advertisers and analytic platforms, Symantec said.
During the application-installation process, users are prompted to grant
permissions to certain actions, such as writing to the wall and accessing
profile data. Once the user has clicked on "Allow," the application receives an
access token, the so-called spare key. If the application is using Facebook's
older authentication system and used certain deprecated parameters in the code,
then Facebook sends the access token to the application's host. The token
appears in the HTTP referrer field, which is often sent onto advertisers and
"The repercussions of
this access-token leakage are seen far and wide," wrote Symantec
researcher Nishant Doshi in a blog post.
There's no good way to
estimate exactly how many access tokens were leaked, but the good news is that
it was unlikely most developers even knew they had this access, according to
Symantec's Doshi. Symantec informed Facebook of the problem early last
month, and the social-networking giant took "corrective action" to "eliminate
Facebook acknowledged that there
had been an issue and that it had been fixed, but that the Symantec post was
inaccurate because the information was never shared with unauthorized parties.
The company alluded to the
situation when announcing an update to its developer roadmap in a May 11 post
on the Facebook
. Facebook has been "working with Symantec to identify issues
in our authentication flow to ensure that they are more secure," Natik Shah, a
member of the Facebook Platform team, wrote on the blog.
By default, Facebook uses
OAUTH 2.0 for its authentication scheme to secure applications, but many applications
continue to use an older authentication system and HTTP. "Because of the number
of apps using our legacy auth system, we need to be thoughtful about this
transition [to OAUTH 2.0]," Shah said.
After working with Symantec,
Facebook has decided all developers will have to switch their sites and
applications to the more secure system by Sept. 1. The updates to the software-development
kit will be available July 1 and all applications must support the SSL (Secure
Sockets Layer) by Oct. 1 so that those using HTTPS will be able to use applications
"We believe these changes
create better and more secure experiences for users of your app," Shah
Users install 20 million
Facebook applications every day, according to Facebook.