Facebook Leaks Users’ Personal Information to Third Parties

Facebook may have unintentionally leaked users’ personal information to third parties, a security firm discovered. The leak may be one of the most significant privacy missteps by the social-networking giant.

Certain Facebook applications are leaking “access tokens” to third parties, such as advertisers, giving them access to personal-profile data such as chat logs and photographs, Symantec’s Nishant Dosti wrote on the Symantec Security Response blog on May 10. Most access tokens expire in two hours, but some tokens work offline and remain valid until the user changes the password, Doshi said.

Users are encouraged to change their passwords immediately, according to Symantec. Changing the password invalidates these tokens and is equivalent to “changing the lock,” on the Facebook profile, Doshi wrote on the Symantec blog.

Access tokens act like “spare keys” to the user’s account, giving recipients the ability to access user profiles and perform certain actions, such as reading and posting Wall posts and accessing friend pages. Offline tokens work even when the user is not logged into Facebook and give applications and anyone else holding them access to the profile data at all times.

“We estimate that as of April 2011, close to 100,000 applications were enabling this leak,” Doshi wrote. The Symantec team estimated that since 2007, when Facebook launched applications, “hundreds of thousands of applications” could have leaked “millions” of these tokens.

Facebook IFRAME applications were leaking the tokens to advertisers and analytic platforms, Symantec said. During the application-installation process, users are prompted to grant permissions to certain actions, such as writing to the wall and accessing profile data. Once the user has clicked on “Allow,” the application receives an access token, the so-called spare key. If the application is using Facebook’s older authentication system and used certain deprecated parameters in the code, then Facebook sends the access token to the application’s host. The token appears in the HTTP referrer field, which is often sent onto advertisers and analytics companies.

"The repercussions of this access-token leakage are seen far and wide," wrote Symantec researcher Nishant Doshi in a blog post.

For more, read the eWEEK article: Facebook Leaks Access Tokens, Exposes Private User Data to Advertisers.