Facebook applications leak users' personal data to third parties

Summary:A leading security firm warns users to change their password after 'spare keys' to your profile have been leaked by Facebook to application developers.

Change your Facebook password -- just to be on the safe side.

Symantec discovered that third-party Facebook applications had access to  users' accounts and profiles "for years", and could see your profile, photographs, chat messages and collect your personal information -- even if you had set it to private.

These applications may not, however, have known they could access this data, Symantec report, which issued a warning to Facebook regarding the matter. 

This could constitute as the most widespread leak the site has suffered to date.

Facebook has since confirmed the issue existed and plugged the leak, so this can no longer be exploited. But with 20 million applications installed by users per day, this represents a huge potential leak of personal information.

Symantec explain how access tokens, or 'spare keys' that are granted to you by Facebook, can be used to authorise certain actions on behalf of the user. These are set up by the application installed, through the permission request box. Though these keys will expire after a short time, some of these tokens allow applications to access your data while you are not using the site.

It is suggested could have Facebook passed on these access tokens in the URL to the application developers, which could then be passed on unknowingly to advertisers and other third parties.

Facebook denies these claims, stating that there are "inaccuracies" and that a thorough investigation showed "no evidence" that information was being sent to third parties.

This is not the first time Facebook has suffered a breach. Not only has it had to contend with its own internal code reaching the public site, which led to a full site shutdown late last year, but has also been targeted by malicious code writers and suffered serious worm attacks through rogue applications.

Related content:

Topics: Social Enterprise

About

Zack Whittaker writes for ZDNet, CNET, and CBS News. He is based in New York City.

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.