Facebook flaw leaked millions of user account access tokens

By Bob Sullivan
May 10, 2011

Advertisers and other third parties had the potential to gain unauthorized access to many Facebook user accounts and profile information because of a software flaw, Symantec Corp. said Tuesday night.

Hundreds of thousands of third party applications leaked user account access tokens to advertisers and others during the past several years, Symantec said.  In April alone, when the flaw was found, about 100,000 applications were enabling the leakage, according to the company.

Facebook was advised of the flaw and fixed it, according to Symantec, but some of the leaked access codes — called tokens — might still be stored on log files or in applications, and could be exploited.

“Concerned Facebook users can change their Facebook passwords to invalidate leaked access tokens,” Symantec wrote in a blog post describing the situation. “We estimate that over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties.”

The tokens act like “spare keys,” allowing third-party applications to perform certain functions on behalf of users without requiring them to log in each time. When third-party apps are installed, users selectively grant them permission to access profile data. In certain situations, a token can be passed by Facebook to these third-party applications “potentially on purpose and unfortunately very commonly by accident” in the referrer field of Web-based data requests. That data, in turn, can be shared with other third parties.

In other words, the spare key gets around.

That would enable third parties to gain unauthorized access to profiles, photographs, and chats, and also enable a malicious attacker to post messages and mine personal information, Symantec said.

Facebook acknowledged the flaw, but told the Wall Street Journal that it had not been exploited by anyone. 

“We’ve conducted a thorough investigation which revealed no evidence of this issue resulting in a user’s private information being shared with unauthorized third parties,” the firm said, according to the Journal.  No explanation of the investigation was shared.

The incident is not the first time Facebook has been accused of leaking critical data to third parties.  Last fall, the Wall Street Journal found that many popular apps were transmitting Facebook user ID information to third parties, regardless of user privacy settings.

The token leakage incident is just the latest reminder that Facebook holds a treasure trove of information about half a billion people, leaving the firm atop a mountain of private data.  The safety and security of so much information stored in one place is inherently suspect.  

“The repercussions of this access token leakage are seen far and wide,” wrote Nishant Doshi, who discovered the flaw with Candid Wueest, in his blog post about the incident.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s