Symantec: Facebook Bug Hands Out Users’ Spare Keys

Facebook has been accidentally providing third-parties, including advertisers, with “spare keys” to an unknown number of user accounts over the past four years, according to security firm Symantec.

The third parties have had access to profiles, photographs, chat and have had the ability to post messages and mine personal information, Symantec said in an advisory on Tuesday.

Token leak

Access was provided due to a bug which Symantec estimated has cropped up in hundreds of thousands of Facebook applications since they were launched in 2007.

“Symantec has discovered that in certain cases, Facebook IFRAME applications inadvertently leaked access tokens to third parties like advertisers or analytic platforms,” said Symantec senior software engineer Nishant Doshi in a blog post. “We estimate that as of April 2011, close to 100,000 applications were enabling this leakage. We estimate that over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties.”

Doshi said the third parties may not have realised they had access. The issue was reported to Facebook, which has corrected the issue, according to Symantec.

“Access tokens are like ‘spare keys’ granted by you to the Facebook application,” Doshi wrote. “Using this access token, the application can now access the user’s information or perform actions on behalf of the user.”

Facebook said it had found no evidence that private user information had been shared due to the issue.

“We have no evidence of this information being used in a way that violated our policies, but nonetheless, we take any potential issue seriously and quickly took steps to prevent this from happening with apps on Facebook,” the company said in a statement.

Protection

Doshi, who with Symantec’s Candid Wueest is credited with discovering the issue, said there was no way of estimating how many access tokens may have been leaked since the launch of Facebook applications in 2007.

“We fear a lot of these tokens might still be available in log files of third-party servers or still being actively used by advertisers,” Doshi wrote.

He said concerned users could change their Facebook passwords to ensure they are protected. “Changing the password invalidates these tokens and is equivalent to ‘changing the lock’ on your Facebook profile,” Doshi wrote.

Last autumn Facebook labelled hacking a “major issue”.

In January the company introduced two new features to add an extra layer of security for users. The first level of the layer was a new authentication scheme called “Social Authentication”, which is meant to keep attackers from hijacking accounts; the second level rests with giving users the ability to secure their entire Facebook session via HTTPS.

Last month web security firm Sophos posted an open letter to Facebook taking the social networking giant to task for its ongoing safety and privacy issues.

At the time Sophos said Facebook needed to enable privacy and HTTPS by default and start vetting applications that appear on the site.