Skip to main content

Facebook applications security flaw fixed

A security flaw concerning Facebook applications that allowed advertisers to access user profiles has now, according to the social networking site, been dealt with.

Internet security firm Symantec said in a blog post that third parties “have accidentally had access to Facebook users’ accounts including profiles, photographs, chat, and also had the ability to post messages and mine personal information.”

Recommended Videos

Symantec’s Nishant Doshi, who discovered the issue along with co-worker Candid Wueest, pointed out that most of these third parties will not have known about the flaw. “Fortunately, these third-parties may not have realized their ability to access this information. We have reported this issue to Facebook, who has taken corrective action to help eliminate this issue,” Doshi said in the post.

Doshi explained that some Facebook applications inadvertently leaked what are called “access tokens” to third parties. Facebook applications are programs integrated into the Facebook website that enable users to shop and play games, among other things.

“We estimate that as of April 2011, close to 100,000 applications were enabling this leakage [and that] over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties,” Doshi said.

The access tokens are described as being like spare keys that can be used to carry out certain actions on behalf of a user or to access the profile of a user. Doshi explained that “each token or ‘spare key’ is associated with a select set of permissions, like reading your wall, accessing your friend’s profile, posting to your wall, etc.”

In an email to the Wall Street Journal, a spokeswoman for Facebook said, “We’ve conducted a thorough investigation which revealed no evidence of this issue resulting in a user’s private information being shared with unauthorized third parties.”

According to Doshi, Facebook has been taken steps to fix the flaw to prevent further token leaks. He added, however, that “we fear a lot of these tokens might still be available in log files of third-party servers or still being actively used by advertisers.”

If any Facebook users are still worried about security with regards to this issue, Doshi has some useful advice: “Concerned Facebook users can change their Facebook passwords to invalidate leaked access tokens. Changing the password invalidates these tokens and is equivalent to “changing the lock” on your Facebook profile.”

With a site as massive as Facebook, security issues are bound to hit the headlines from time to time. In January the social networking site beefed up security by incorporating HTTPS capability. This came in the wake of a study conducted by Digital Society that looked at the basic security functions of some popular websites – Facebook didn’t come out of that too well. In January, the fan page of Facebook CEO Mark Zuckerberg was hacked (though his personal page remained intact) and was taken down. Worshippers of the man will be happy to know that the page is back up.

Topics
Trevor Mogg
Contributing Editor
Not so many moons ago, Trevor moved from one tea-loving island nation that drives on the left (Britain) to another (Japan)…
Your PC’s security is being attacked on two new fronts
Person using Windows 11 laptop on their lap by the window.

Your PC is facing a double whammy of cyber threats, both of them built into basic Windows features -- one that exploits Windows search and another a Wi-Fi vulnerability.

The first vulnerability allows hackers to exploit search in what researchers have called a "clever" way, as reported by Trustwave. It begins when users are tricked into downloading malware, starting with phishing emails with malicious .ZIP attachments containing HTML files disguised as invoices or something along those lines.

Read more
Snag a year’s access to Norton’s ‘Secure VPN’ while it’s 75% off
A close-up of a computer monitor displaying a generic VPN.

For one of the best VPN deals today, check out Stack Social which currently has Norton Secure VPN available for just $20 for a one-year subscription instead of the usual price of $80. Protecting up to five devices including all your iOS and Android devices, as well as your laptop or desktop, it’s fantastic value for such strong peace of mind. If you’re in the market for a new VPN, keep reading while we explain why it’s worth buying Norton Secure VPN.

Why you should buy Norton Secure VPN
You won’t see Norton Secure VPN in our look at the best VPNs, but don’t fret as it’s still a major name in the security world featuring prominently in looks at the best antivirus software. With Norton Secure VPN, you get real-time threat protection for up to five of your devices along with online privacy.

Read more
How to download a video from Facebook
An elderly person holding a phone.

Facebook is a great place for sharing photos, videos, and other media with friends and family. But what if you’d like to download a video to store offline? This means you’d be able to watch the clip on your PC or mobile device, without needing to be connected to the internet. Fortunately, there’s a way to download Facebook videos to your everyday gadgets, although it’s not as straightforward a process as it could be.

Read more