Symantec: Facebook applications inadvertently leaked personal information

If Facebook was really an "appalling spy machine," it would probably be decommissioned and smashed to bits for allowing information to leak easily to unwanted hands. No, it's not necessarily just American intelligence agencies. Advertisers would kill to have a massive database of personal information from hundreds of millions of people, regardless of privacy settings. The culprit? The "access tokens" Facebook grants to applications to allow them limited access to a subset of a user's Facebook profile.

The discovery was made by Symantec, who published a blog post with their findings. As Symantec explains, the access tokens are similar to handing out "spare keys" for third parties to access your profile. The issue occurs for older Facebook applications that do not use OAUTH 2.0 for authentication, instead using a deprecated method by passing "return_session=1" and "session_version=3" as parameters in a redirect URL. Facebook would then return a token back to the sender, and the application would then proceed to gather information for its usage.

The problem is if some applications have a hidden IFRAME whereby the URL containing the above parameters was passed back to a third party in the referrer field. By obtaining the URL, other unwanted companies can also obtain that same access token, and now have the same level of access as that granted to the application the user gave consent to.

Facebook has been alerted, and they have issued a response on their Developer blog. In particular, the deprecated form of authentication will be removed on September 1 of this year, and applications must move to OAUTH 2.0.

In the meantime, Symantec recommends concerned users should change their Facebook passwords to force applications to request a new access token. In addition, it would be wise for users to watch which applications they grant access to.

Report a problem with article
Previous Story

23,000 BitTorrent users to be sued for downloading 'The Expendables'

Next Story

Review: Trillian 5 Instant Messenger

20 Comments

Commenting is disabled on this article.

That's right !!! There are apps which give you the opportunity to fill in a form with information of your friends so that the magical app can better perform its tricks.

este said,
Good thing I dont use apps within FaceBook

Doesn't matter. If your friends use apps. They can give away your personal information for you. I'm not kidding.

This is why I don't install any apps. Because I respect the privacy of myself and my friends. Problem is my friends don't and they install every ****ing app known to man on their profile. I mean seriously, who can actually click on an app and have it tell you all the stuff it wants access to

Your friend
Your Pictures
Your wall

and not be ****ing freaked out by that a still install the application. Most of my friends on facebook has a wall just spammed with app ****.

warwagon said,
This is why I don't install any apps. Because I respect the privacy of myself and my friends. Problem is my friends don't and they install every ****ing app known to man on their profile. I mean seriously, who can actually click on an app and have it tell you all the stuff it wants access to

Your friend
Your Pictures
Your wall

and not be ****ing freaked out by that a still install the application. Most of my friends on facebook has a wall just spammed with app ****.

You and me both. I'd prefer a news feed overrun with random embarrassing photos than requests to donate virtual food.

I agree. That was one of the reasons why I've "deleted" my account on Facebook. I quoted the word deleted because even though I cancelled my account, I know Facebook never deletes any accounts, they keep all the information INCLUDING YOUR PHOTOS. So if you think the information or the photos you upload to Facebook are yours, think again.
Some people think Facebook is the only one on the block. There are better alternatives, like twitter.com, or even better http://www.miius.com, which don't profit by selling your data.

Didn't they change their privacy statement, saying that you now can delete your account and that they will only keep the data for 90 days (backup time frame)?

Robbeke said,
Didn't they change their privacy statement, saying that you now can delete your account and that they will only keep the data for 90 days (backup time frame)?

I have a friend who deleted his Facebook account and after ONE year he decided to go back being a Facebook user and he was able to restore his delete account with all his data automatically, proving the point they keep the data. What they say in their privacy statement and what they do are two different things.

Let's not forget that Facebook is company, they want to profit. They're not there as a charity.

One of the reasons I got rid of Facebook almost as fast as I signed up to use it. It started signing me into all sorts of things that I had accounts for already (Pandora, etc.). I don't like sites that do that for me. Too integrated which means it's sharing something I don't want it to.

Amodin said,
One of the reasons I got rid of Facebook almost as fast as I signed up to use it. It started signing me into all sorts of things that I had accounts for already (Pandora, etc.). I don't like sites that do that for me. Too integrated which means it's sharing something I don't want it to.

That amongst so many other things!!

Facebook and all the other socially networked diseased websites should've ALREADY been decommissioned!!

cork1958 said,

Facebook and all the other socially networked diseased websites should've ALREADY been decommissioned!!

I disagree - FB has generated a load of income, which in turn will have generated some nice tax revenue. it's a hugely adopted and successful marketing tool for small & large businesses, and charity campaigns.

and best of all, it's *COMPLETELY OPTIONAL*.

cork1958 said,

Facebook and all the other socially networked diseased websites should've ALREADY been decommissioned!!

I disagree - FB has generated a load of income, which in turn will have generated some nice tax revenue. it's a hugely adopted and successful marketing tool for small & large businesses, and charity campaigns.

and best of all, it's *COMPLETELY OPTIONAL*.

If Facebook was really an "appalling spy machine," it would probably be decommissioned and smashed to bits for allowing information to leak easily to unwanted hands.
Why? Why would it be decommissioned when it's benefiting so many businesses with people's personally identifiable information? Please enlighten me.

If Facebook was really an "appalling spy machine," it would probably be decommissioned and smashed to bits for allowing information to leak easily to unwanted hands.

i, too, would like to see your, ehm, logical path to this deduction.

From users point of view what is the difference between leaking personal info and Facebook selling the same personal info ?

alexalex said,
From users point of view what is the difference between leaking personal info and Facebook selling the same personal info ?

One is intentional, the other is not.

alexalex said,
From users point of view what is the difference between leaking personal info and Facebook selling the same personal info ?

The comments on this site are so dam out there anymore that i can almost barely handle coming to neowin to read news anymore.