Researchers at Symantec recently revealed that some 100,000
Facebook applications have been inadvertently leaking access to
member profiles, pictures, chats, and other information to third
parties, including advertisers.
Symantec reported the issue to Facebook, which has now removed the
offending API that left the door open for this privacy and security
gap. The social network now requires developers to adopt the
open-source OAuth authorization protocol to shore up app security.
But the damage already could have been done, as hundreds of
thousands of Facebook apps could have leaked millions of so-called
"access tokens" during the years, according to Symantec.
The good news is that these third parties might not have been aware
that they could gain access to the information with the tokens, and
Facebook updated its developer road map in response. "We raised
[this issue with Facebook], and it looks like they fast-forwarded
some steps and discontinued use of that API that had the capability
of leakage," says Kevin Haley, director at Symantec Security
Response.
Access tokens are basically the "spare keys" that let you read or
post to your wall, or access a friend's profile or pictures, for
example. Most tokens only live for about two hours, and then they
expire, so there's a narrow window of abuse.
"By default, most access tokens expire after a short time, however
the application can request offline access tokens which allow them
to use these tokens until you change your password, even when you
aren’t logged in," according to a post by Symantec
researchers disclosing the privacy and security issue.
Facebook, meanwhile, says it has investigated the issue, and has
found no sign of abuse.
"We appreciate Symantec raising this issue and we worked with them
to address it immediately," a Facebook spokesperson said in a
statement. "Unfortunately, their resulting report has a few
inaccuracies. Specifically, we've conducted a thorough
investigation which revealed no evidence of this issue resulting in
a user's private information being shared with unauthorized third
parties. In addition, this report ignores the contractual
obligations of advertisers and developers which prohibit them from
obtaining or sharing user information in a way that violates our
policies. Finally, the change we announced yesterday on our
developer blog removes the outdated API referred to in Symantec's
report."
Even so, Congressmen Edward Markey and Joe Barton reportedly have
asked Facebook CEO Mark Zuckerberg to explain just how such a
security hole was not previously discovered and how the company
will be alerting users about it.
"This is an issue with the way the Web works. Applications that are
built on top of this technically could inadvertently leak sensitive
information if it is stored in the URL. In this case, the access
token was being listed in the URL, and when the third-party
application displayed an external advertisement, the access token
was sent along with the referral URL information," says Nicholas J.
Percoco, senior vice president and head of SpiderLabs at Trustwave.
"It is important to remember that the end user granted permission
for the application to access and, in some cases, make a post to
their Facebook account. "Unfortunately, the side effect of this
permission was the possibility of the application using
advertisement services of another party and inadvertently passing
this access permission along to them." Security experts recommend
that Facebook users change their passwords.
But if an unauthorized party has a member's active token, then it
might not result in massive spam or other obvious abuse -- it
likely would be quietly siphoning information from the profile,
unbeknown to the user: "If any are abusing it, it's probably to
quietly scrape your information and not to make too much noise,"
says Nitesh Dhanjani, a senior manager at Ernst & Young and a
security expert. "