Six Lines

Facebook Apps Security Hole

Posted by Aaron Massey on 11 May 2011.

The Wall Street Journal has an article up about a security hole in the way Facebook Apps are allowed to access users’ information. It was recently discovered by Symantec, but it’s possibly been around for some time:

The issue, which Symantec described as accidental, centers on Facebook applications, the third-party programs that allow users to play games, shop and do other tasks on the Facebook website. In some cases, those applications shared with advertisers and analytics companies so-called access tokens, which act like spare keys (originally intended for the apps) to access or post information on a user’s account, including reading wall posts, accessing a friend’s profile, posting to a user’s wall and mining personal information.

As of April, Symantec estimated that the flaw affected close to 100,000 Facebook apps—and that since Facebook introduced apps in 2007 potentially hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties.

It is possible that the third parties didn’t realize they had the ability to access this information. Still, “the repercussions of this access token leakage are seen far and wide,” wrote Symantec researcher Nishant Doshi in a blog post.

Symantec informed Facebook of the problem in the second week of April, and the social network took steps to address it.

Note the use of responsible disclosure in that last line I quoted. This is somewhat unrelated to this post, but I found it interesting.

There are two things about Facebook and privacy that I believe are often misunderstood:

  1. Facebook apps are a bigger threat than Facebook friends, which are more often the focus of Facebook privacy discussions. Many Facebook users don’t realize how much information they are giving to apps just so they can take quizzes or play games.
  2. Facebook has a more pressing business interest in protecting user information than people think. Their ability to market to incredibly specific consumer groups is paramount to their business.