Skip to main content

Facebook apps leaked users' information, security firm says

Doug Gross
A leak in Facebook's old development platform provided "spare keys" to people's accounts, Symantec said.
A leak in Facebook's old development platform provided "spare keys" to people's accounts, Symantec said.
  • Symantec: Nearly 100,000 Facebook apps were leaking user information
  • Access was accidental and most didn't know it existed, says Symantec
  • Facebook acknowledges issue, but say unauthorized parties never got information

(CNN) -- Nearly 100,000 Facebook applications accidentally leaked access to users' Facebook accounts for several years, according to Web security firm Symantec.

Facebook applications are Web applications that work on the Facebook platform. Facebook says users install 20 million applications on its platform every day.

Third parties, mainly advertisers, had access to users' profiles, photos, chat and other personal information, according to a post Wednesday on Symantec's blog.

Facebook acknowledges the issue and says it's been addressed. But the social-networking giant also says that Symantec's report has some "inaccuracies" and that user information was never shared with unauthorized third parties.

Symantec's report said that over the years, hundreds of thousands of apps may have gotten "access tokens," which the company described as sort of a spare key to people's accounts.

"Needless to say, the repercussions of this access token leakage are seen far and wide," staffer Nishant Dosti wrote on the blog for the company, which sells the popular Norton anti-virus and security tools.

There's no good way to estimate exactly how many access tokens were leaked, Symantec said.

Luckily, Symantec says that most app developers probably didn't realize they had this access. The company says Facebook "has taken corrective action to help eliminate this issue" after the problem was discovered last month and brought to Facebook's attention.

Facebook says most access tokens expire in two hours, meaning they'd be useless to malicious third parties after that time.

A Facebook spokesperson told CNN in an e-mail that the site worked with Symantec to address the problem. But he said a "thorough investigation" didn't show any information got into the hands of unauthorized parties.

"In addition, this report ignores the contractual obligations of advertisers and developers which prohibit them from obtaining or sharing user information in a way that violates our policies," he said.

On Tuesday, Facebook announced on its developer blog that it has been "working with Symantec to identify issues in our authentication flow to ensure that they are more secure."

That post announced an update that will require all Facebook websites and applications to switch to a new, more secure system for developers.

"We believe these changes create better and more secure experiences for users of your app," Facebook's Naitik Shah wrote in the post.

Facebook currently uses a more secure authentication system for applications, but has been still supporting the older, less secure version, Symantec said. The site hasn't found evidence that any leaked information has been used in a way that violates Facebook policies.

Facebook users can void any unauthorized access an app may have by changing their passwords.

Developers whose apps use Facebook's old system will have to transition to a new, more secure development system between now and October 1, according to the blog post. The new system gives users installing an app a detailed list of the access that app will have to their personal data.


Most popular Tech stories right now