Facebook apps have been accidentally leaking user data for years

Update: Facebook says it has found no evidence of apps leaking user data.

Facebook apps have been leaking access to millions of Facebook users’ accounts, including profiles, photographs, chat, and other personal information because of an old bug that overrides individual privacy settings. The flaw, which is fixed now, affected hundreds of thousands of apps before it was discovered by researchers from security company Symantec.

The bug exposed user access tokens to third parties, like advertisers and analytic platforms. The tokens serve as a spare set of keys that Facebook apps use to perform certain actions on behalf of the user or to access the user’s profile. Each token is associated with a select set of permissions, like reading your wall, accessing your friend’s profile, posting to your wall, and so on.

For years, certain Facebook IFRAME apps that rely on an older form of user authentication turned over these keys to third parties, giving them the ability to access information that users may have secured in their privacy settings. Symantec has confirmed that Facebook has fixed the underlying bug, but tokens already exposed may still be widely accessible. The only comfort the company offered was that the third parties who were accidentally granted access to the data may not have realized their ability to access this information.

While many access tokens expire shortly after they’re issued, Facebook also supplies offline access tokens that remain valid indefinitely. Thankfully, Facebook users can close this potential security hole by changing their passwords, which immediately revokes all previously issued keys. If you use Facebook apps, go change your password on the social network as soon as possible.

Facebook sees 20 million pass installed every day. There’s no way to know precisely how many apps or Facebook users were affected by this flaw, but Symantec estimates that as of April 2011, almost 100,000 apps were making the leak possible. That’s just for last month though: over the years, hundreds of thousands of apps may have inadvertently leaked millions of access tokens to third parties, according to the security giant.

So how did this happen? Well, Facebook by default uses OAUTH2.0 for authentication. That being said, it looks like the company has not been regularly testing its older authentication schemes, which are still supported and used by hundreds of thousands of apps.

When a user opens up an app to install on the social network, Facebook first sends the app a limited amount of non-identifiable information about the user (their country, locale, and age bracket) so that the app can personalize the page. Then the app sends the user to a permission dialog page using a client-side redirect. If the app uses a legacy Facebook API as well as the deprecated parameters “return_session=1″ and “session_version=3″, Facebook subsequently returns the access token by sending an HTTP request containing the access tokens in the URL to the app host. The Facebook app can then inadvertently leak the access tokens to third parties. Worse yet, the URL that includes the access token is actually passed to third party advertisers as part of the referrer field of the HTTP requests.

It’s no small coincidence that Facebook today announced that it will be permanently retiring its old authentication routine. The company is still working to transition apps from the old Facebook authentication system and HTTP to OAuth 2.0 and HTTPS.

Facebook is requiring all sites and apps to migrate to OAuth 2.0, process the signed_request parameter, and obtain an SSL certificate in the next five months. The company says that the sheer number of Facebook apps prevents the company from forcing developers to make the switch immediately. Here’s the timeline the company has announced:

• July 1: Updates to the PHP and JS SDKs available that use OAuth 2.0 and have new cookie format (without access token).
• September 1: All apps must migrate to OAuth 2.0 and expect an encrypted access token.
• October 1: All Canvas apps must process signed_request (fb_sig will be removed) and obtain an SSL certificate (unless you are in Sandbox mode). This will ensure that users browsing Facebook over HTTPS will have a great experience over a secure connection.

I would prefer to see an accelerated timeline given how serious this security flaw was. Although it has apparently been fixed, it’s worrying that Facebook did not find it by itself after all these years of use.