Facebook plugs third-party access to user accounts

Facebook has plugged a hole that was inadvertently providing advertisers and other third parties access to user accounts via tokens that serve as "spare keys," Symantec said today after disclosing the problem to the social-networking company.

"Facebook was notified of this issue and has confirmed this leakage," Nishant Doshi, a senior software engineer at Symantec, wrote in a blog post. "Facebook notified us of changes on their end to prevent these tokens from getting leaked."

"We estimate that as of April 2011 close to 100,000 applications were enabling this leakage," Doshi wrote. "We estimate that over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties."

A Facebook spokesperson told CNET that the company could not find any evidence that private user information was being shared with unauthorized third parties and that contractual obligations prohibit advertisers and developers from obtaining or sharing user information in a way that violates the site's policies.

"We have no evidence of this information being used in a way that violated our policies, but nonetheless, we take any potential issue seriously and quickly took steps to prevent this from happening with apps on Facebook," a company statement said.

User access tokens, which are akin to "spare keys," allow applications to perform certain actions on behalf of the user or to access the user's profile, according to Doshi. Most tokens expire after a short time, but the application can request offline access tokens, which allow them access until the user changes the password, even when the user is not logged in, according to his post.

The leak was happening when an application used a legacy Facebook application programming interface with older authentication schemes, instead of the new OAuth 2.0 data sharing protocol, Doshi said. (Google in mid-2008.) If certain parameters were used in the coding, the tokens would be sent in a URL to the application host, and from there could be leaked to advertisers and analytic platforms via iFrame applications embedded in the page, he said.

Its unclear how many people are affected by this problem.

"There is no good way to estimate how many access tokens have already been leaked since the release Facebook applications back in 2007," Doshi wrote. "We fear a lot of these tokens might still be available in log files of third-party servers or still being actively used by advertisers."

Facebook users can change their passwords to invalidate any leaked access tokens, effectively changing the lock on your profile, he said.

The Symantec research prompted Facebook to make some changes in its developer road map, including requiring all sites and apps to migrate to OAuth 2.0 and obtain an SSL (secure sockets layer) certificate by October 1.

"We have been working with Symantec to identify issues in our authenticationflow to ensure that they are more secure," the company said in a post on its developer blog. "This has led us to conclude that migrating to OAuth & HTTPS (Hypertext Transfer Protocol Secure) now is in the best interest of our users and developers."

Joey Tyson, a security engineer at Gemini Security Solutions who blogs about social networking at TheHarmonyGuy.com, said Facebook has been progressively improving the security of its platform and that many apps have limited permissions now. "This is a problem worth addressing, but it may not be as serious as some people are thinking it is, and it's certainly not as widely exploited as some people may fear," he said.