Security company Symantec has posted a notification on their blog that reveals a flaw in the Facebook web application API that has allowed apps nearly complete access to user’s accounts. This includes profiles, photos, chat and the ability to mine customer information. Updates below.
Fortunately, says Symantec, these third-party apps may not have realized that they even had the ability in the first place. Facebook has been informed that the issue exists and they have taken ‘corrective action’ to eliminate the vulnerability.
Faceboook IFRAME applications, which are embedded web apps, had inadvertently been leaking access tokens to advertisers and analytics platforms. Symantec estimates that close to 100k apps were leaking info.
We estimate that as of April 2011, close to 100,000 applications were enabling this leakage. We estimate that over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties.
At this point the leaking of access tokens, which act as keys to user information, to third parties has apparently been corrected by Facebook, but the vulnerability has existed for months. While Symantec does not believe that any of the developers of these applications where aware of their ability to access user data, it is not completely clear if they were or not.
There is no good way to estimate how many access tokens have already been leaked since the release Facebook applications back in 2007. We fear a lot of these tokens might still be available in log files of third-party servers or still being actively used by advertisers.
They recommend that all users of Facebook who are concerned with the issue to change their password immediately. Changing their password will invalidate these tokens and remove a third-party apps ability to access their profile.
We also recommend changing your password on your Facebook account as a security precaution. The fact of the matter is that this vulnerability has now been fixed, but those access tokens that were issued may still be in the databases of third party vendors. If you do not change your password they still have access to that information.
Now that the vulnerability has been made public, some of these may attempt to take advantage of the extensive access to mine user data or much more. A full explanation of the vulnerability can be found at Symantec’s site.
Update. Facebook has posted an article on its developer blog, acknowledging that it is working with Symantec to improve security. They also state that they are now requiring that all applications use the newer OAuth 2.0 process for obtaining access keys.
Today, we are announcing an update to our Developer Roadmap that outlines a plan requiring all sites and apps to migrate to OAuth 2.0, process the signed_request parameter, and obtain an SSL certificate by October 1.
The new authorization process will remove the older form of authentication that allowed for applications to obtain the authorization keys.
Update 2. Douglas Purdy, Facebook’s Director of Developer Relations, has left this response in the comments below. We are including it in the body of the post to ensure that it is noted by readers of this article.
We appreciateSymantec raising this issue and we worked with them to address it immediately. Unfortunately, their resulting report has some inaccuracies. Specifically, we’ve conducted a thorough investigation which revealed no evidence of this issue resulting in a user’s private information being shared with unauthorized third parties. In addition, this report ignores the contractual obligations of advertisers and developers which prohibit them from sharing user information in a way that violates our policies. Lastly, as you mentioned, the change we announced today on our developer blog removes the outdated API referred to in Symantec’s report.
As Purdy notes, developers of apps and advertisers working with Facebook are under contractual obligation to prohibits them from using user information in ways that violate Facebook’s policies. This would preclude them from utilizing any information obtained by improper authorization on part of Facebook’s API’s. It does not change the fact that the information was improperly accessible, a matter which Facebook promptly addressed as soon as it was brought to their attention.