Advertisement

We need your help now

Support from readers like you keeps The Journal open.

You are visiting us because we have something you value. Independent, unbiased news that tells the truth. Advertising revenue goes some way to support our mission, but this year it has not been enough.

If you've seen value in our reporting, please contribute what you can, so we can continue to produce accurate and meaningful journalism. For everyone who needs it.

Facebook

Facebook security breach allowed advertisers access to user data

Hundreds of thousands of Facebook apps may have leaked ‘access tokens’ to Facebook users’ actions and profiles, according to security company Symantec.

A FACEBOOK SECURITY LEAK meant advertisers and other third parties had access to users’ data – including profiles, photographs and chats – “for years”, according to Symantec.

As of April, Symantec estimates that the flaw affected close to 100,000 Facebook apps and that, since Facebook introduced apps in 2007, potentially hundreds of thousands of applications may have inadvertently allowed third parties access to user information via ‘access tokens’:

Symantec has discovered that in certain cases, Facebook IFRAME applications inadvertently leaked access tokens to third parties like advertisers or analytic platforms.

We estimate that over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties.

The tokens allow applications “to perform certain actions on behalf of the user” and can grant access to a user’s profile.

A spokesperson for Facebook told the Wall Street Journal said that there was no evidence of private information being leaked. They said the problem, which Symantec highlighted to Facebook in April, had been fixed.

On its Developer Blog today, Facebook said it was working to make its platform more secure for users and says it has introduced a plan whereby all Facebook apps must switch over to its newer OAuth security system. The leak relates to apps using older authentication schemes.

Symantec said there was no way to know how many of the leaked access codes are still available or being actively used by advertisers and recommends concerned Facebook users change their passwords, which will invalidate the older, leaked tokens.

In October, the WSJ reported that some of the most popular apps on the social networking site, including Farmville, Texas HoldEm Poker and MafiaWars, were leaking user’s unique ID numbers to advertisers. The ID can be used to look up any user’s name, regardless of their profile privacy settings.

Your Voice
Readers Comments
16
    Submit a report
    Please help us understand how this comment violates our community guidelines.
    Thank you for the feedback
    Your feedback has been sent to our team for review.