Thousands of Facebook applications have inadvertently leaked access tokens to third parties like advertisers, security giant Symantec has warned.
The flaw may have let hundreds of thousands of apps leak "millions" of access tokens to third parties over the years, Symantec estimated.
As of April 2011, close to 100,000 applications were leaking the tokens, potentially enabling third parties to get hold of user data and post messages on profiles, the security firm said.
Users are supposed grant apps access tokens to allow the applications to carry out certain tasks, such as posting on profile pages.
We fear a lot of these tokens might still be available in log files of third-party servers or still being actively used by advertisers.
The indirect leaks were seen by Symantec during the sign-up phase for apps, at the point when the application used a client-side redirect designed to send the user to a permissions dialog box.
"This indirect leak could happen if the application uses a legacy Facebook API and has the following deprecated parameters, return_session=1' and session_version=3,' as part of their redirect code," the security firm explained in a blog post.
"If these parameters are used, Facebook subsequently returns the access token by sending an HTTP request containing the access tokens in the URL to the application host."
Once this happened, the Facebook app could have leaked access tokens to third parties, possibly on purpose.
Facebook has now fixed the problem, after Symantec informed the social networking giant of the issue.
Yet the security firm raised fears third parties could still be using the tokens for their own gains.
"We fear a lot of these tokens might still be available in log files of third-party servers or still being actively used by advertisers," Symantec added.
"Concerned Facebook users can change their Facebook passwords to invalidate leaked access tokens. Changing the password invalidates these tokens and is equivalent to 'changing the lock' on your Facebook profile."
Facebook's security practices have been under heavy scrutiny in recent times.
Last month, Sophos issued a public letter to Facebook, calling for the company to enforce some security changes.
In particular, Sophos wanted to see HTTPS used for everything on the site.
-
The IT industry’s shift to circular, low-carbon solutionsMaximize your hardware investment and reach your sustainability goals with HP’s Renew Solutions
-
Lenovo ThinkPad X9 14 Aura Edition reviewReviews This thin and light ultraportable will draw you in with its vibrant screen – but it isn't as powerful as some of its competitors
-
96% of SMBs are missing critical cybersecurity skills – here's whyNews The skills shortage hits SMBs worse as they often suffer from a lack of budget and resources
-
Sophos Firewall Virtual review: Affordable network protection for those that like it virtualizedReviews Extreme network security that's cheaper than a hardware appliance and just as easy to deploy
-
MSPs are struggling with cyber security skills shortagesNews A shortage of tools and difficulties keeping pace with solutions were also ranked as key issues for MSPs
-
Nearly 70 software vendors sign up to CISA’s cyber resilience programNews Major software manufacturers pledge to a voluntary framework aimed at boosting cyber resilience of customers across the US
-
Sophos and Tenable team up to launch new managed risk serviceNews The new fully managed service aims to help organizations manage and protect external attack surfaces
-
Ransomware groups are using media coverage to coerce victims into payingNews Threat actors are starting to see the benefits of a more sophisticated media strategy for extracting ransoms
-
Shrinking cyber attack “dwell times” highlight growing war of attrition with threat actorsNews While teams are becoming more proficient at detecting threats, attackers are augmenting their strategies
-
Capita tells pension provider to 'assume' nearly 500,000 customers' data stolenCapita told the pension provider to “work on the assumption” that data had been stolen
