Facebook apps have been accidentally leaking user data for years

Facebook apps have been accidentally leaking user data for years

Summary: Facebook has fixed a flaw affecting hundreds of thousands of its apps. You should still change your Facebook password though.

SHARE:

Update: Facebook says it has found no evidence of apps leaking user data.

Facebook apps have been leaking access to millions of Facebook users' accounts, including profiles, photographs, chat, and other personal information because of an old bug that overrides individual privacy settings. The flaw, which is fixed now, affected hundreds of thousands of apps before it was discovered by researchers from security company Symantec.

The bug exposed user access tokens to third parties, like advertisers and analytic platforms. The tokens serve as a spare set of keys that Facebook apps use to perform certain actions on behalf of the user or to access the user's profile. Each token is associated with a select set of permissions, like reading your wall, accessing your friend's profile, posting to your wall, and so on.

For years, certain Facebook IFRAME apps that rely on an older form of user authentication turned over these keys to third parties, giving them the ability to access information that users may have secured in their privacy settings. Symantec has confirmed that Facebook has fixed the underlying bug, but tokens already exposed may still be widely accessible. The only comfort the company offered was that the third parties who were accidentally granted access to the data may not have realized their ability to access this information.

While many access tokens expire shortly after they're issued, Facebook also supplies offline access tokens that remain valid indefinitely. Thankfully, Facebook users can close this potential security hole by changing their passwords, which immediately revokes all previously issued keys. If you use Facebook apps, go change your password on the social network as soon as possible.

Facebook sees 20 million pass installed every day. There's no way to know precisely how many apps or Facebook users were affected by this flaw, but Symantec estimates that as of April 2011, almost 100,000 apps were making the leak possible. That's just for last month though: over the years, hundreds of thousands of apps may have inadvertently leaked millions of access tokens to third parties, according to the security giant.

So how did this happen? Well, Facebook by default uses OAUTH2.0 for authentication. That being said, it looks like the company has not been regularly testing its older authentication schemes, which are still supported and used by hundreds of thousands of apps.

When a user opens up an app to install on the social network, Facebook first sends the app a limited amount of non-identifiable information about the user (their country, locale, and age bracket) so that the app can personalize the page. Then the app sends the user to a permission dialog page using a client-side redirect. If the app uses a legacy Facebook API as well as the deprecated parameters "return_session=1" and "session_version=3", Facebook subsequently returns the access token by sending an HTTP request containing the access tokens in the URL to the app host. The Facebook app can then inadvertently leak the access tokens to third parties. Worse yet, the URL that includes the access token is actually passed to third party advertisers as part of the referrer field of the HTTP requests.

It's no small coincidence that Facebook today announced that it will be permanently retiring its old authentication routine. The company is still working to transition apps from the old Facebook authentication system and HTTP to OAuth 2.0 and HTTPS.

Facebook is requiring all sites and apps to migrate to OAuth 2.0, process the signed_request parameter, and obtain an SSL certificate in the next five months. The company says that the sheer number of Facebook apps prevents the company from forcing developers to make the switch immediately. Here's the timeline the company has announced:

  • July 1: Updates to the PHP and JS SDKs available that use OAuth 2.0 and have new cookie format (without access token).
  • September 1: All apps must migrate to OAuth 2.0 and expect an encrypted access token.
  • October 1: All Canvas apps must process signed_request (fb_sig will be removed) and obtain an SSL certificate (unless you are in Sandbox mode). This will ensure that users browsing Facebook over HTTPS will have a great experience over a secure connection.

I would prefer to see an accelerated timeline given how serious this security flaw was. Although it has apparently been fixed, it's worrying that Facebook did not find it by itself after all these years of use.

Topics: Social Enterprise, Networking, Security

Emil Protalinski

About Emil Protalinski

Emil is a freelance journalist writing for CNET and ZDNet. Over the years,
he has covered the tech industry for multiple publications, including Ars
Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

17 comments
Log in or register to join the discussion
  • RE: Facebook apps have been accidentally leaking user data for years

    Another reason I am proud to be FB free! Only Google and Apple are allowed to leak my personal info. Lol.
    Bates_
    • It's not like FB users have been leaking personal infor for years

      @Bates_
      themsleves:
      "Here we are in OC! Look at the kids!"
      "Going away: 5 days to go before Family vaca in FLA!"
      "Check out my new car"
      "House looks nice now that we painted it!"
      "The kids and their cousins at BD party!"

      All complete with pictures.
      John Zern
      • RE: Facebook apps have been accidentally leaking user data for years

        @John Zern +2 for you good sir.
        Bates_
      • RE: Facebook apps have been accidentally leaking user data for years

        @John Zern
        http://innovations09.blogspot.com/2011/05/symantec-says-facebook-apps-leak.html
        northnwest
    • RE: Facebook apps have been accidentally leaking user data for years

      @Bates_
      http://innovations09.blogspot.com/2011/05/symantec-says-facebook-apps-leak.html
      northnwest
    • You don't want your info leaked - don't share it

      @Bates_
      NT
      use_what_works_4_U
  • OK OK, but how is this windows fault?

    I am sure the LSM in Linux would have prevented this.
    Your Non Advocate
  • RE: Facebook apps have been accidentally leaking user data for years

    Facebook had been taking a permanent "leak" ever since it went online! No Facebook for me, never, ever.
    canewshound@...
  • RE: Facebook apps have been accidentally leaking user data for years

    There is nothing accidental about FB leaking information.
    gibbons@...
  • RE: Facebook apps have been accidentally leaking user data for years

    does this mean the world can see my no no zone ha ha har
    ampjack
  • RE: Facebook apps have been accidentally leaking user data for years

    @bates<br>What about Sony?
    I believe the bulk of Facebook accounts are fictitious anyways. So many people use FB to live alter egos. I really live in Mongolia.
    Tucson Bill
  • RE: Facebook apps have been accidentally leaking user data for years

    Irregardless of whether you are sharing information on any of the social media networks, your personal data is never really personal!
    customersevice@...
  • RE: Facebook apps have been accidentally leaking user data for years

    Its a feature!
    Tommy S.
  • RE: Facebook apps have been accidentally leaking user data for years

    I don't know about accidental, but when I first got on Facebook I read the EULA with one of those silly apps that clutter the site. The fine print said that by using the app you were granting access to all your pictures, your wall posts, you conversations and permission also extended to allowing third parties to use anything they wanted, even pictures that weren't of you, in whatever manner they saw fit.

    There were some differences from one to the other but all over-rode security settings set for the account. I preached that to my family and friends and only 1/4 give or take understood what it meant. I tell people don't be surprised if the 20 Questions Game you play Monday leads to your smiling face with an adult diaper or Viagara ad the following week!
    jhand47201
  • RE: Facebook apps have been accidentally leaking user data for years

    Facebook had been taking a permanent "leak" ever since it went online! No Facebook for me, never, ever.
    http://www.dacsandatphanrang.com/muc-suc-khoe/blog.html
    ALISON SMOCK
  • RE: Facebook apps have been accidentally leaking user data for years

    I really enjoyed reading this post !!!have bookmarked <a href="http://mlbshopgiants.com/">w</a><a href="http://best3dtvavailable.com/">e</a><a href="http://lampsplusstorelocator.com/">b</a><a href="http://discountperfumewebsites.com/">s</a> will come back to read more.
    JOYCEwe
  • RE: Facebook apps have been accidentally leaking user data for years

    Really interesting post. I enjoyed reading it. Will return again soon.

    Regards
    Jovan (http://www.socialcubix.com)
    Jovanvaldeze