Facebook Leaks Access Tokens, Exposes Private User Data to Advertisers

Facebook may have unintentionally leaked users’ personal information to third parties, a security firm discovered. The leak may be one of the most significant privacy missteps by the social-networking giant.

Certain Facebook applications are leaking “access tokens” to third parties, such as advertisers, giving them access to personal-profile data such as chat logs and photographs, Symantec’s Nishant Dosti wrote on the Symantec Security Response blog on May 10. Most access tokens expire in two hours, but some tokens work offline and remain valid until the user changes the password, Doshi said.

Users are encouraged to change their passwords immediately, according to Symantec. Changing the password invalidates these tokens and is equivalent to “changing the lock,” on the Facebook profile, Doshi wrote on the Symantec blog.

Access tokens act like “spare keys” to the user’s account, giving recipients the ability to access user profiles and perform certain actions, such as reading and posting Wall posts and accessing friend pages. Offline tokens work even when the user is not logged into Facebook and give applications and anyone else holding them access to the profile data at all times.

“We estimate that as of April 2011, close to 100,000 applications were enabling this leak,” Doshi wrote. The Symantec team estimated that since 2007, when Facebook launched applications, “hundreds of thousands of applications” could have leaked “millions” of these tokens.

Facebook IFRAME applications were leaking the tokens to advertisers and analytic platforms, Symantec said. During the application-installation process, users are prompted to grant permissions to certain actions, such as writing to the wall and accessing profile data. Once the user has clicked on “Allow,” the application receives an access token, the so-called spare key. If the application is using Facebook’s older authentication system and used certain deprecated parameters in the code, then Facebook sends the access token to the application’s host. The token appears in the HTTP referrer field, which is often sent onto advertisers and analytics companies.

"The repercussions of this access-token leakage are seen far and wide," wrote Symantec researcher Nishant Doshi in a blog post.

There’s no good way to estimate exactly how many access tokens were leaked, but the good news is that it was unlikely most developers even knew they had this access, according to Symantec’s Doshi.  Symantec informed Facebook of the problem early last month, and the social-networking giant took “corrective action” to “eliminate the issue.”

Facebook acknowledged that there had been an issue and that it had been fixed, but that the Symantec post was inaccurate because the information was never shared with unauthorized parties.

The company alluded to the situation when announcing an update to its developer roadmap in a May 11 post on the Facebook developer blog. Facebook has been “working with Symantec to identify issues in our authentication flow to ensure that they are more secure,” Natik Shah, a member of the Facebook Platform team, wrote on the blog.

By default, Facebook uses OAUTH 2.0 for its authentication scheme to secure applications, but many applications continue to use an older authentication system and HTTP. “Because of the number of apps using our legacy auth system, we need to be thoughtful about this transition [to OAUTH 2.0],” Shah said.

After working with Symantec, Facebook has decided all developers will have to switch their sites and applications to the more secure system by Sept. 1. The updates to the software-development kit will be available July 1 and all applications must support the SSL (Secure Sockets Layer) by Oct. 1 so that those using HTTPS will be able to use applications as well.

“We believe these changes create better and more secure experiences for users of your app," Shah wrote.

Users install 20 million Facebook applications every day, according to Facebook.