Millions of users on Facebook will not be pleased to hear that advertisers and other third party organisations had the potential to get unauthorised access to many Facebook user accounts and profile information, due to a software flaw. This information comes from one of the most respected anti virus and anti spyware organisations, Symantec Corp.
According to information released by Symantec, hundreds of thousands of third party applications leaked user account access tokens to advertisers and others across the last couple of years. In April alone, when the flaw was found, 100,000 applications were enabling the leakage.
Symantec say that Facebook had been advised of the flaw and have fixed it, but some of the leaked access codes, called tokens might still be stored on log files or in applications and could be exploited.
Symantec wrote a blog post “Concerned Facebook users can change their Facebook passwords to invalidate leaked access tokens. We estimate that over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties.”
Access tokens are like ‘spare keys’ granted by you to the Facebook application. Applications can use these tokens or keys to perform certain actions on behalf of the user or to access the user’s profile. Each token or ‘spare key’ is associated with a select set of permissions, like reading your wall, accessing your friend’s profile, posting to your wall, etc.
Facebook have acknowledged the flaw but have said that no one has exploited it. They said “We've conducted a thorough investigation which revealed no evidence of this issue resulting in a user's private information being shared with unauthorized third parties.”
KitGuru says: Hopefully not a sign of things to come for Facebook.