Facebook apps leak access data
In a post on its official blog, security specialist Symantec says that Facebook "iFrame" applications accidentally leaked data that could have allowed app creators to access users' accounts. According to Symantec's analysis, the problem was caused by a flaw in the old Facebook API which apps used to authenticate their account access. When a user grants account access to a web app, the app is given an "access token" which it can then renew.
Symantec said that this access token can be mistakenly inserted into a URL returned by Facebook to the app server when the user logs in to an app. If the app loads an ad banner or analytics code as a next step, it will send that URL, including the access token, in the referrer field of its HTTP request for the content. This referrer data is likely to have been stored in the log file on the advertising or analytics providers' server.
Symantec notes that the app providers and their advertising partners may not have realised that they could access this information. The security firm added that it is ultimately impossible to gauge how many tokens have been leaked since Facebook apps were first introduced in 2007. Reportedly, close to 100,000 Facebook apps may have had access to the tokens because of the flaw. Symantec recommends that concerned users should change their Facebook password, which is believed to invalidate the leaked tokens. Facebook has since fixed the problem and informed third-party app developers about the changes. By 1 October 2011, all apps will be required to authenticate using OAuth 2.0.