Skip to main content

Facebook applications security flaw fixed

A security flaw concerning Facebook applications that allowed advertisers to access user profiles has now, according to the social networking site, been dealt with.

Internet security firm Symantec said in a blog post that third parties “have accidentally had access to Facebook users’ accounts including profiles, photographs, chat, and also had the ability to post messages and mine personal information.”

Symantec’s Nishant Doshi, who discovered the issue along with co-worker Candid Wueest, pointed out that most of these third parties will not have known about the flaw. “Fortunately, these third-parties may not have realized their ability to access this information. We have reported this issue to Facebook, who has taken corrective action to help eliminate this issue,” Doshi said in the post.

Doshi explained that some Facebook applications inadvertently leaked what are called “access tokens” to third parties. Facebook applications are programs integrated into the Facebook website that enable users to shop and play games, among other things.

“We estimate that as of April 2011, close to 100,000 applications were enabling this leakage [and that] over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties,” Doshi said.

The access tokens are described as being like spare keys that can be used to carry out certain actions on behalf of a user or to access the profile of a user. Doshi explained that “each token or ‘spare key’ is associated with a select set of permissions, like reading your wall, accessing your friend’s profile, posting to your wall, etc.”

In an email to the Wall Street Journal, a spokeswoman for Facebook said, “We’ve conducted a thorough investigation which revealed no evidence of this issue resulting in a user’s private information being shared with unauthorized third parties.”

According to Doshi, Facebook has been taken steps to fix the flaw to prevent further token leaks. He added, however, that “we fear a lot of these tokens might still be available in log files of third-party servers or still being actively used by advertisers.”

If any Facebook users are still worried about security with regards to this issue, Doshi has some useful advice: “Concerned Facebook users can change their Facebook passwords to invalidate leaked access tokens. Changing the password invalidates these tokens and is equivalent to “changing the lock” on your Facebook profile.”

With a site as massive as Facebook, security issues are bound to hit the headlines from time to time. In January the social networking site beefed up security by incorporating HTTPS capability. This came in the wake of a study conducted by Digital Society that looked at the basic security functions of some popular websites – Facebook didn’t come out of that too well. In January, the fan page of Facebook CEO Mark Zuckerberg was hacked (though his personal page remained intact) and was taken down. Worshippers of the man will be happy to know that the page is back up.

Trevor Mogg
Contributing Editor
Not so many moons ago, Trevor moved from one tea-loving island nation that drives on the left (Britain) to another (Japan)…
How to force quit on Windows to fix frozen applications
A man sits, using a laptop running the Windows 11 operating system.

A frozen screen on Windows is not what you want to see when you're in the middle of doing some important work or playing a game. But how do you get past that? How do you force quit an app that won't respond?

The answer to those questions is force quitting, which is when you force the shut down of an unresponsive app . And we can show you at least three different ways to do it. Let's take a look at three ways you can force quit an app on Windows, so you can get back to working or having fun.

Read more
How to set your Facebook Feed to show most recent posts
A smartphone with the Facebook app icon on it all on a white marble background.

Facebook's Feed is designed to recommend content you'd most likely want to see, and it's based on your Facebook activity, your connections, and the level of engagement a given post receives.

But sometimes you just want to see the latest Facebook posts. If that's you, it's important to know that you're not just stuck with Facebook's Feed algorithm. Sorting your Facebook Feed to show the most recent posts is a simple process:

Read more
AMD and Apple face a dangerous new security flaw
A hacker typing on an Apple MacBook laptop while holding a phone. Both devices show code on their screens.

Researchers from cybersecurity firm Trail of Bits just found a vulnerability that affects some of the biggest brands in tech, namely Apple, AMD, and Qualcomm. The vulnerability, dubbed LeftoverLocals, affects graphics cards made by those companies. That makes it pretty widespread, with it affecting devices ranging from PCs and servers to tablets and smartphones. This flaw, if exploited, could allow attackers to access and steal data from vulnerable devices.

Normally, when working in a shared environment -- such as a workstation or a cloud computing infrastructure -- each user only has access to their own data and resources, even when working on the same hardware. However, LeftoverLocals bypasses these security measures and uses GPU memory to let potential attackers steal data from the other users on that same hardware.

Read more