If Facebook was really an "appalling spy machine," it would probably be decommissioned and smashed to bits for allowing information to leak easily to unwanted hands. No, it's not necessarily just American intelligence agencies. Advertisers would kill to have a massive database of personal information from hundreds of millions of people, regardless of privacy settings. The culprit? The "access tokens" Facebook grants to applications to allow them limited access to a subset of a user's Facebook profile.
The discovery was made by Symantec, who published a blog post with their findings. As Symantec explains, the access tokens are similar to handing out "spare keys" for third parties to access your profile. The issue occurs for older Facebook applications that do not use OAUTH 2.0 for authentication, instead using a deprecated method by passing "return_session=1" and "session_version=3" as parameters in a redirect URL. Facebook would then return a token back to the sender, and the application would then proceed to gather information for its usage.
The problem is if some applications have a hidden IFRAME whereby the URL containing the above parameters was passed back to a third party in the referrer field. By obtaining the URL, other unwanted companies can also obtain that same access token, and now have the same level of access as that granted to the application the user gave consent to.
Facebook has been alerted, and they have issued a response on their Developer blog. In particular, the deprecated form of authentication will be removed on September 1 of this year, and applications must move to OAUTH 2.0.
In the meantime, Symantec recommends concerned users should change their Facebook passwords to force applications to request a new access token. In addition, it would be wise for users to watch which applications they grant access to.