On Tuesday security researchers at Symantec reported that hundreds of thousands of Facebook apps have been inadvertently leaking user data to third-party developers for years due to a programming error. Facebook acknowledged the issue, but claimed that information was never accessible thanks to contracts the social networking giant has with third parties and assured worried Facebook users that they had no evidence of information being used in ways that violated company policies.
According to the Symantec report, a faulty API was accidentally transmitting access tokens to third parties like advertisers. This error allowed third parties access to users’ accounts, including profiles, chats, and pictures, as well as enabled the parties to mine personal data and even post messages on users’ walls.
“We estimate that as of April 2011, close to 100,000 applications were enabling this leakage. We estimate that over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties.”
Symantec offered some assurances, though, saying that they have worked with Facebook to fix the error since its discovery and that many of the third parties likely had no idea they had access to this information. They did advise users to change their passwords just in case, however, since this will lock out any third-party who may have access to this information. Given that there is no way of knowing just how many access tokens were leaked since Facebook started releasing apps back in 2007 and there is a chance that the tokens are still being used by advertisers or available in log files in third-party servers, all Facebook users should strongly considering changing their passwords in the near future.
Facebook acknowledged the problem, announcing today that the site is now requiring that all third-party sites and apps to migrate to OAuth 2.0, process the signed_request parameter, and obtain an SSL certificate by October 1st. They also announced that they would be retiring their old authentication routine. That said, Facebook did somewhat downplay the situation.
“We appreciate Symantec raising this issue and we worked with them to address it immediately. Unfortunately, their resulting report has a few inaccuracies. Specifically, we’ve conducted a thorough investigation which revealed no evidence of this issue resulting in a user’s private information being shared with unauthorized third parties. In addition, this report ignores the contractual obligations of advertisers and developers which prohibit them from obtaining or sharing user information in a way that violates our policies.”
All of this sounding strangely familiar? It should: this is certainly not the first time Facebook has had a privacy glitch regarding apps gaining access to user information. Back in October, for instance, The Wall Street Journal reported that some of Facebook’s most popular apps, such as Farmville and TexasHoldEm Poker, had been sending user information to advertisers in secret.
While it is undoubtedly good news that Facebook took this recent privacy issue seriously and fixed the problem promptly and effectively, it is nevertheless discouraging to hear that they have had yet another privacy breach. One can hope that this will be the last time we hear about Facebook privacy issues and information leaks, considering just how many people use Facebook around the world and how rapidly it is expanding; unfortunately, given their track record over recent years, this is likely wishful thinking.