Just recently, Symantec discovered a vulnerability in the way Facebook handled embedded frames that allowed application developers to access information on a user’s profile that installed that application. Now, reports are saying that nearly 100,000 applications may have enabled this flaw, potentially affecting millions. Facebook fixed the flaw and is denying that any misuse has taken place.
As ComputerWorld reports, Facebook today denied that the company has accidentally exposed sensitive personal user data to advertisers and other third parties for several years. The flaw, now fixed, was reported to Facebook by Symantec and stated that advertisers had access to member profiles, member photos, and chat messages. Advertisers were allegedly able to post messages and mine personal data from them.
The security flaw was basically a faulty API used by developers of Facebook applications. It allowed 100,000 Facebook apps to accidentally expose the access tokens that are granted by users to Facebook applications. These tokens are associated with a set of permissions that allow someone to read your wall, access your friend’s profiles, post on your wall, etc. The problem lies within the fact that any third party or advertiser associated with that application developer would have had access to these tokens. This meant that they could do whatever they wanted to your account based on what the tokens allowed.
According to Symantec, the repercussions of this flaw could have been “far and wide.”
Facebook argued otherwise, claiming that Symantec’s report of the flaw had a few “inaccuracies.” Facebook spokeswoman Malorie Lucich said, “We appreciate Symantec raising this issue and we worked with them to address it immediately .. specifically, no private information could have been passed to third parties, and the vast majority of tokens expire within two hours. The report also ignores the contractual obligations of advertisers and developers, which prohibit them from obtaining or sharing user information in a way that violates our policies. We take any potential issue seriously and quickly took steps to prevent this from happening again.”
As we already know, Facebook has faced numerous privacy related issues in the past few years. This problem will hardly damage an already tainted reputation when it comes to horrible privacy. How do you feel about this? Post your thoughts in the comments!Further reading: Facebook, Security, Symantec