This site uses cookies to improve your experience and to provide services and advertising. By continuing to browse, you agree to the use of cookies described in our Cookies Policy. You may change your settings at any time but this may impact on the functionality of the site. To learn more see our Cookies Policy.
Dublin: 11 °C Friday 3 April, 2020

Facebook security breach allowed advertisers access to user data

Hundreds of thousands of Facebook apps may have leaked ‘access tokens’ to Facebook users’ actions and profiles, according to security company Symantec.

A FACEBOOK SECURITY LEAK meant advertisers and other third parties had access to users’ data – including profiles, photographs and chats – “for years”, according to Symantec.

As of April, Symantec estimates that the flaw affected close to 100,000 Facebook apps and that, since Facebook introduced apps in 2007, potentially hundreds of thousands of applications may have inadvertently allowed third parties access to user information via ‘access tokens’:

Symantec has discovered that in certain cases, Facebook IFRAME applications inadvertently leaked access tokens to third parties like advertisers or analytic platforms.

We estimate that over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties.

The tokens allow applications “to perform certain actions on behalf of the user” and can grant access to a user’s profile.

A spokesperson for Facebook told the Wall Street Journal said that there was no evidence of private information being leaked. They said the problem, which Symantec highlighted to Facebook in April, had been fixed.

On its Developer Blog today, Facebook said it was working to make its platform more secure for users and says it has introduced a plan whereby all Facebook apps must switch over to its newer OAuth security system. The leak relates to apps using older authentication schemes.

Symantec said there was no way to know how many of the leaked access codes are still available or being actively used by advertisers and recommends concerned Facebook users change their passwords, which will invalidate the older, leaked tokens.

In October, the WSJ reported that some of the most popular apps on the social networking site, including Farmville, Texas HoldEm Poker and MafiaWars, were leaking user’s unique ID numbers to advertisers. The ID can be used to look up any user’s name, regardless of their profile privacy settings.

  • Share on Facebook
  • Email this article

Read next: