Skip to main content

Facebook applications security flaw fixed

A security flaw concerning Facebook applications that allowed advertisers to access user profiles has now, according to the social networking site, been dealt with.

Internet security firm Symantec said in a blog post that third parties “have accidentally had access to Facebook users’ accounts including profiles, photographs, chat, and also had the ability to post messages and mine personal information.”

Symantec’s Nishant Doshi, who discovered the issue along with co-worker Candid Wueest, pointed out that most of these third parties will not have known about the flaw. “Fortunately, these third-parties may not have realized their ability to access this information. We have reported this issue to Facebook, who has taken corrective action to help eliminate this issue,” Doshi said in the post.

Doshi explained that some Facebook applications inadvertently leaked what are called “access tokens” to third parties. Facebook applications are programs integrated into the Facebook website that enable users to shop and play games, among other things.

“We estimate that as of April 2011, close to 100,000 applications were enabling this leakage [and that] over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties,” Doshi said.

The access tokens are described as being like spare keys that can be used to carry out certain actions on behalf of a user or to access the profile of a user. Doshi explained that “each token or ‘spare key’ is associated with a select set of permissions, like reading your wall, accessing your friend’s profile, posting to your wall, etc.”

In an email to the Wall Street Journal, a spokeswoman for Facebook said, “We’ve conducted a thorough investigation which revealed no evidence of this issue resulting in a user’s private information being shared with unauthorized third parties.”

According to Doshi, Facebook has been taken steps to fix the flaw to prevent further token leaks. He added, however, that “we fear a lot of these tokens might still be available in log files of third-party servers or still being actively used by advertisers.”

If any Facebook users are still worried about security with regards to this issue, Doshi has some useful advice: “Concerned Facebook users can change their Facebook passwords to invalidate leaked access tokens. Changing the password invalidates these tokens and is equivalent to “changing the lock” on your Facebook profile.”

With a site as massive as Facebook, security issues are bound to hit the headlines from time to time. In January the social networking site beefed up security by incorporating HTTPS capability. This came in the wake of a study conducted by Digital Society that looked at the basic security functions of some popular websites – Facebook didn’t come out of that too well. In January, the fan page of Facebook CEO Mark Zuckerberg was hacked (though his personal page remained intact) and was taken down. Worshippers of the man will be happy to know that the page is back up.

Editors' Recommendations

Trevor Mogg
Contributing Editor
Not so many moons ago, Trevor moved from one tea-loving island nation that drives on the left (Britain) to another (Japan)…
Google just made this vital Gmail security tool completely free
google makes gmail dark web monitoring free laptop stephen phillips

Hackers are constantly trying to break into large websites to steal user databases, and it’s not entirely unlikely that your own login details have been leaked at some point in the past. In cases like that, upgrading your password is vital, but how can you do that if you don’t even know your data has been hacked?

Well, Google thinks it has the answer because it has just announced that it will roll out dark web monitoring reports to every Gmail user in the U.S. This handy feature was previously limited to paid Google One subscribers, but the company revealed at its Google I/O event that it will now be available to everyone, free of charge.

Read more
Western Digital comes clean about massive security breach
western digital wd black d30 game drive 1 tb deal best buy march 2023

The popular PC storage manufacturer, Western Digital, has confirmed that it experienced a network security breach earlier this year, in which an unauthorized third party gained control of several of its systems.

The incident took place on March 26, 2023, but was immediately addressed by the manufacturer, with Western Digital reporting the breach bringing in top security experts to launch an investigation, which is currently ongoing, the company said in a statement.

Read more
A new WordPress bug may have left 2 million sites vulnerable
wordpress vulnerability version 472 plug in

A flaw in two WordPress custom plug-ins leaves users vulnerable to cross-site scripting attacks (XSS), according to a recent report.

Patchstack researcher Rafie Muhammad recently discovered an XSS flaw in the Advanced Custom Fields and Advanced Custom Fields Pro plug-ins, which are actively installed by over 2 million users worldwide, according to Bleeping Computer.

Read more