100000-facebook apps leaking users personal data and access to accounts

Posted: May 14, 2011 in Analysis, Facebook, facebook(news), news

Symantec has discovered that in certain cases, Facebook IFRAME applications inadvertently leaked access tokens to third parties like advertisers or analytic platforms.

facebook security 100,000+ Facebook apps leaking users personal data and access to accounts

It is estimated that as of April 2011, close to 100,000 applications were enabling this leakage. Over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties.

There is no good way to estimate how many access tokens have already been leaked since the release Facebook applications back in 2007. We fear a lot of these tokens might still be available in log files of third-party servers or still being actively used by advertisers. Concerned Facebook users can change their Facebook passwords to invalidate leaked access tokens. Changing the password invalidates these tokens and is equivalent to “changing the lock” on your Facebook profile, reports Symantec.

The permissions-based app menu to which users must agree when installing an app, is the culprit.

There are over 500 million Facebook users, 50% of whom log on to Facebook on any given day. An average user has 130 friends. There are over 900 million objects that people interact with (pages, groups, events and community pages). People on Facebook install 20 million applications every day. So you can imagine the damage this may have caused!

Facebook spokeswoman Malorie Lucich released a statement saying that Symantec’s accusations disregarded the “contractual obligations of advertisers and developers,” which restricts them from acquiring or spreading this information in a way that infringe on Facebook policy. She also noted that Facebook has removed the outdated Application Programming Interface (API) that Symantec had mentioned. Facebook now uses OAUTH2.0 for authentication.

You may recollect that last year, a Harvard Business School professor Benjamin Edelman, had claimed that Facebook provided users’ information, including name and photos, to advertisers. According to his findings, clicking on an advertisers’ advertisement reveals the Facebook user’s name or user ID to the advertiser.

“With default privacy settings, the advertiser can then see almost all of a user’s activity on Facebook, including name, photos, friends, and more,” he had said.

There have been a lot of Facebook security breaches, and every time one has been detected, Facebook has gone on to patch it.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s