iGeneration

Charlie Osborne
Home / News & Blogs / iGeneration

Facebook applications leak users' personal data to third parties

By | May 10, 2011, 3:23pm PDT

Summary: A leading security firm warns users to change their password after ’spare keys’ to your profile have been leaked by Facebook to application developers.

Change your Facebook password — just to be on the safe side.

Symantec discovered that third-party Facebook applications had access to  users’ accounts and profiles “for years”, and could see your profile, photographs, chat messages and collect your personal information — even if you had set it to private.

These applications may not, however, have known they could access this data, Symantec report, which issued a warning to Facebook regarding the matter. 

This could constitute as the most widespread leak the site has suffered to date.

Facebook has since confirmed the issue existed and plugged the leak, so this can no longer be exploited. But with 20 million applications installed by users per day, this represents a huge potential leak of personal information.

Symantec explain how access tokens, or ’spare keys’ that are granted to you by Facebook, can be used to authorise certain actions on behalf of the user. These are set up by the application installed, through the permission request box. Though these keys will expire after a short time, some of these tokens allow applications to access your data while you are not using the site.

It is suggested could have Facebook passed on these access tokens in the URL to the application developers, which could then be passed on unknowingly to advertisers and other third parties.

Facebook denies these claims, stating that there are “inaccuracies” and that a thorough investigation showed “no evidence” that information was being sent to third parties.

This is not the first time Facebook has suffered a breach. Not only has it had to contend with its own internal code reaching the public site, which led to a full site shutdown late last year, but has also been targeted by malicious code writers and suffered serious worm attacks through rogue applications.

Related content:

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “iGeneration”

Topics

Facebook, Zack Whittaker

Zack Whittaker, a criminologist who studied at the University of Kent, Canterbury, is a journalist, writer and broadcaster.

Disclosure

Zack Whittaker

I worked briefly with Microsoft UK in 2006 but no longer have any connection with the company. Regardless, I remain impartial and unbiased in my views.

I don't hold any stock or shares, investments or industrial secrets in any company, but have signed confidentiality agreements with a number of UK and U.S. organisations, whose names I am not at liberty to disclose.

I was involved with Kent Union, the University of Kent's student union, undertaking voluntary, non-salaried, elected positions between early 2009 and mid-2010.

No other company, body, government department, non-governmental organisation or third sector organisation employs me or pays me a salary in any capacity whatsoever.

As a freelance journalist, whenever expenses are given and taken by a company that is not CBS Interactive, these will be disclosed in each relevant post to ensure transparency.

I currently work with a UK law enforcement unit, but this is an entirely separate position which bears no connection to other work.

(Updated: 23rd October 2011)

Biography

Zack Whittaker

Zack Whittaker, criminologist who studied at the University of Kent, UK, is a journalist, writer and broadcaster.

After studying criminology at university, though still in his early-20's, he has already had a series unconventional work and voluntary positions. He has worked with researchers studying neurological illnesses like Tourette's syndrome (which he suffers from), has given lectures on the nature of disabilities in the public community, and occasionally ends up speaking on television and radio discussing the events of the day.

He first had academic work published at the age of 22, then still an undergraduate, and has been cited by a wide range of publications: from the Huffington Post, Business Insider, AllThingsDigital, The Atlantic Wire and CBS News.

8
Comments
Add Your Opinion

Join the conversation!

Just In

Facebook must take a step.
Jovanvaldeze 20th Mar
What a shame, Facebook should take this into consideration in the first place.

http://www.socialcubix.com
View in thread
0 Votes
+ -
Leak?
wackoae 10th May 2011
The primary purpose of Facebook is to "steal" personal data. You can't claim that a "drainer" has a leak when it is working as designed.
0 Votes
+ -
Your relationship with Facebook
HollywoodDog 11th May 2011
has to be managed by you, and the easiest way to do that is to use fake names and bogus personal info. You and your friends know who one another are. If you're feeding the Facebook pig with your real personal data, don't get upset when they leak it, steal it or sell it.
0 Votes
+ -
RE: Facebook applications leak users' personal data to third parties
scottz29 11th May 2011
Shocking.
0 Votes
+ -
RE: Facebook applications leak users' personal data to third parties
jmckay417 11th May 2011
I think the real message here is that YOU need to control what you put on facebook...I have nothing on there that I would give a sh*t about if anyone else saw. My profile is already set to public for the most part because the things I put on there are easily findable elsewhere if you really wanted to look (remember: phone books have your name, phone number and address...not a big deal)
0 Votes
+ -
RE: Facebook applications leak users' personal data to third parties
tommie7suzie 11th May 2011
I think this is another case of "user beware"... Some of us have become way to trusting and dependent upon the security of the internet . Doesn't anyone realize that we should protect ourselves first. Then trust in the next man second . I mean no one has forced anyone to truthfully fill in required fields.... Come on now!
0 Votes
+ -
I am amazed
jhodkinson@... 11th May 2011
It still amazes me how much info kids put on their facebook pages and you don't need permission to view some of it either. I warned my brother that his daughter had her address that anyone could read and his retort was 'oh, she is pretty savvy' hmmmm??? I refuse to join but seem able to see most of the family pictures from friends without an invite - just crazy!!! Even on a game site I see such very personal conversations going on - are they dumb or what?
0 Votes
+ -
There is a Solution!
ilya_rubinshteyn 12th May 2011
This very unfortunate to hear. However this does not surprise one with all the garbage going around the web these days. A solution would be great, and so here it is: uProtect.it ; this a plug-in that will allow one to post any information on Facebook and have it be protected! Example: you want to post some private info as your status/wall post/comment, but you only want one or two of your friends to see it. This plug-in will allow you to do just that! No more information getting leaked!
0 Votes
+ -
Facebook must take a step.
Jovanvaldeze 20th Mar
What a shame, Facebook should take this into consideration in the first place.

http://www.socialcubix.com

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix