Facebook applications leak users' personal data to third parties

Facebook applications leak users' personal data to third parties

Summary: A leading security firm warns users to change their password after 'spare keys' to your profile have been leaked by Facebook to application developers.


Change your Facebook password -- just to be on the safe side.

Symantec discovered that third-party Facebook applications had access to  users' accounts and profiles "for years", and could see your profile, photographs, chat messages and collect your personal information -- even if you had set it to private.

These applications may not, however, have known they could access this data, Symantec report, which issued a warning to Facebook regarding the matter. 

This could constitute as the most widespread leak the site has suffered to date.

Facebook has since confirmed the issue existed and plugged the leak, so this can no longer be exploited. But with 20 million applications installed by users per day, this represents a huge potential leak of personal information.

Symantec explain how access tokens, or 'spare keys' that are granted to you by Facebook, can be used to authorise certain actions on behalf of the user. These are set up by the application installed, through the permission request box. Though these keys will expire after a short time, some of these tokens allow applications to access your data while you are not using the site.

It is suggested could have Facebook passed on these access tokens in the URL to the application developers, which could then be passed on unknowingly to advertisers and other third parties.

Facebook denies these claims, stating that there are "inaccuracies" and that a thorough investigation showed "no evidence" that information was being sent to third parties.

This is not the first time Facebook has suffered a breach. Not only has it had to contend with its own internal code reaching the public site, which led to a full site shutdown late last year, but has also been targeted by malicious code writers and suffered serious worm attacks through rogue applications.

Related content:

Topic: Social Enterprise

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Leak?

    The primary purpose of Facebook is to "steal" personal data. You can't claim that a "drainer" has a leak when it is working as designed.
  • Your relationship with Facebook

    has to be managed by you, and the easiest way to do that is to use fake names and bogus personal info. You and your friends know who one another are. If you're feeding the Facebook pig with your real personal data, don't get upset when they leak it, steal it or sell it.
  • RE: Facebook applications leak users' personal data to third parties

  • RE: Facebook applications leak users' personal data to third parties

    I think the real message here is that YOU need to control what you put on facebook...I have nothing on there that I would give a sh*t about if anyone else saw. My profile is already set to public for the most part because the things I put on there are easily findable elsewhere if you really wanted to look (remember: phone books have your name, phone number and address...not a big deal)
  • RE: Facebook applications leak users' personal data to third parties

    I think this is another case of "user beware"... Some of us have become way to trusting and dependent upon the security of the internet . Doesn't anyone realize that we should protect ourselves first. Then trust in the next man second . I mean no one has forced anyone to truthfully fill in required fields.... Come on now!
  • I am amazed

    It still amazes me how much info kids put on their facebook pages and you don't need permission to view some of it either. I warned my brother that his daughter had her address that anyone could read and his retort was 'oh, she is pretty savvy' hmmmm??? I refuse to join but seem able to see most of the family pictures from friends without an invite - just crazy!!! Even on a game site I see such very personal conversations going on - are they dumb or what?
  • There is a Solution!

    This very unfortunate to hear. However this does not surprise one with all the garbage going around the web these days. A solution would be great, and so here it is: uProtect.it ; this a plug-in that will allow one to post any information on Facebook and have it be protected! Example: you want to post some private info as your status/wall post/comment, but you only want one or two of your friends to see it. This plug-in will allow you to do just that! No more information getting leaked!
  • Facebook must take a step.

    What a shame, Facebook should take this into consideration in the first place.