Symantec, the world’s largest manufacturer of computer security software, discovered a glitch in Facebook’s security. According to its report, the website has been unknowingly leaking codes allowing access to the profiles of millions of users to a number of third parties, particularly advertisers. These codes allow these third parties access to the users’ photos, wall, and chat. They could then mine personal information or even post messages of their own on these users’ walls.
The problem originated in a security flaw in about 100,000 Facebook apps, which leaked access tokens to the users’ pages to these third parties. Apps are an integral part of the Facebook experience, and about 20 million are downloaded each day. According to Symantec, the access tokens, or “spare keys” to the users’ pages, have been leaked for several years already, so that the number of access tokens leaked is estimated to be in the millions.
Symantec adds that while most of these access tokens expire, if they were recognized by advertisers, they could request offline access tokens, which would allow them to access the users’ information until they change their passwords.
Both Symantec and Facebook say that there is no evidence that third parties were aware of the glitch or exploited it, and add that the problem no longer exists because Facebook has switched its authentication scheme to OAUTH2.0. Nevertheless, Facebook apps continue to support older authentication schemes. While Facebook has announced that it has patched the problem, Symantec still warns that, “We fear a lot of these tokens might still be available in log files of third-party servers or still being actively used by advertisers.”
On Monday, Facebook announced that it had developed a roadmap to require “all sites and apps to migrate to OAuth 2.0.” Until then, however, Symantec suggests that Facebook users change their passwords, saying that it is the equivalent of “changing the lock” on their profiles.