Facebook leaked keys to account data: Symantec

May 11, 2011
US computer security firm Symantec has said that Facebook accidentally left a door open for advertisers to access profiles, pictures, chat and other private data at the social network.

US computer security firm Symantec has said that Facebook accidentally left a door open for advertisers to access profiles, pictures, chat and other private data at the social network.

Facebook told AFP that there was no evidence anyone stepped through that door and swiped any information from the accounts of its more than 500 million members.

discovered that certain applications leaked tokens that act essentially as "spare keys" for accessing profiles, reading messages, posting to walls or other actions.

Facebook applications are Web software programs that are integrated onto the leading online social network's platform. Symantec said that 20 million Facebook applications, such as games, are installed every day.

"We appreciate Symantec raising this issue and we worked with them to address it immediately," Facebook said in response to an AFP inquiry.

The tokens were being leaked to third-party applications including advertisers and analytics platforms, allowing them to post messages or mine personal information from profiles, according to Nishant Doshi of Symantec.

"Fortunately, these third-parties may not have realized their ability to access this information," Doshi said in a blog post.

"We have reported this issue to Facebook, who has taken corrective action to help eliminate this issue."

Symantec estimated that as of April, nearly 100,000 applications were giving away keys to Facebook profiles.

"We estimate that over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties," Doshi said.

Facebook confirmed the problem, which was discovered by Doshi and Symantec colleague Candid Wueest, according to the computer .

But Facebook said the Symantec report had a few "inaccuracies."

There was no evidence that the problem resulted in private information being gleaned from Facebook members' accounts, according to the California-based service.

"In addition, this report ignores the contractual obligations of advertisers and developers which prohibit them from obtaining or sharing user information in a way that violates our policies," Facebook said.

There was no reliable estimate of how many tokens have been leaked since the release of Facebook applications in 2007.

Despite whatever fix Facebook has put in place, token data may still be stored in files on third-party computers, Symantec warned.

"Concerned Facebook users can change their Facebook passwords to invalidate leaked access tokens," Doshi said.

"Changing the password invalidates these tokens and is equivalent to 'changing the lock' on your Facebook profile."

Explore further: A second day of technical troubles at Facebook

Related Stories

Social networking aggregator sues Facebook

July 10, 2009

(AP) -- In a counter-punch to the world's biggest online hangout, a small Web company called Power.com has sued Facebook, saying it doesn't follow its own policy of giving users control over their content.

Facebook to keep profiles of the dead

October 27, 2009

(AP) -- Death doesn't erase the online footprints that people leave in life and Facebook won't either, though it will make some changes.

Recommended for you

Hyperloop or hyperbole? Musk promises NY-DC run in 29 mins

July 21, 2017

US entrepreneur Elon Musk said Thursday he'd received tentative approval from the government to build a conceptual "hyperloop" system that would blast passenger pods down vacuum-sealed tubes from New York to Washington at ...

Google, EU dig in for long war

July 20, 2017

Google and the EU are gearing up for a battle that could last years, with the Silicon Valley behemoth facing a relentless challenge to its ambition to expand beyond search results.

Strengthening 3-D printed parts for real-world use

July 20, 2017

From aerospace and defense to digital dentistry and medical devices, 3-D printed parts are used in a variety of industries. Currently, 3-D printed parts are very fragile and only used in the prototyping phase of materials ...

Swimming robot probes Fukushima reactor to find melted fuel

July 19, 2017

An underwater robot entered a badly damaged reactor at Japan's crippled Fukushima nuclear plant Wednesday, capturing images of the harsh impact of its meltdown, including key structures that were torn and knocked out of place.

Microsoft cloud to help Baidu self-driving car effort

July 19, 2017

Microsoft's cloud computing platform will be used outside China for collaboration by members of a self-driving car alliance formed by Chinese internet search giant Baidu, the companies announced on Tuesday.

0 comments

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.