Facebook: no evidence of apps leaking user data

Facebook says it has found no evidence that the flaw affecting hundreds of thousands of its apps resulted in leaked user data.

Yesterday Symantec revealed that hundreds of thousands of Facebook apps have been accidentally leaking user data for years (if you haven't yet, change your Facebook password, to be on the safe side). Thankfully, the two companies worked together to fix the flaw before it could be seriously exploited.

Symantec said the Facebook apps were leaking access to millions of Facebook users' accounts, including profiles, photographs, chat, and other personal information. The only comfort the security company offered was that the third parties who were accidentally granted access to the data may not have realized their ability to see this information.

I checked with Facebook, and the company has confirmed that the bug allowed some developers to use an outdated and undocumented version of Facebook's API. As a result, some apps may have inadvertently transmitted user IDs and access tokens to third parties. Facebook also clarified that neither an access token nor a user ID can provide access to details such as a user's contact information, financial details, or any other sensitive information not available through its API. It also underlined that the vast majority of access tokens expire in two hours.

Most importantly, Facebook found no evidence that this information was being used in a way that violated its policies. If it did, Facebook would have to severe ties with any third parties that broke its rules. Either way, the company still took the issue seriously and fixed the flaw.

"We appreciate Symantec raising this issue and we worked with them to address it immediately," a Facebook spokesperson said in a statement. "Unfortunately, their resulting report has a few inaccuracies. Specifically, we've conducted a thorough investigation which revealed no evidence of this issue resulting in a user's private information being shared with unauthorized third parties. In addition, this report ignores the contractual obligations of advertisers and developers which prohibit them from obtaining or sharing user information in a way that violates our policies."

Soon after Symantec's report was published, Facebook yesterday also announced that it would be permanently retiring its old authentication routine. The company is still working to transition apps from the old Facebook authentication system and HTTP to OAuth 2.0 and HTTPS.

Facebook is requiring all sites and apps to migrate to OAuth 2.0, process the signed_request parameter, and obtain an SSL certificate in the next five months. The company says that the sheer number of Facebook apps prevents it from forcing developers to make the switch immediately. Here's the timeline:

  • July 1: Updates to the PHP and JS SDKs available that use OAuth 2.0 and have new cookie format (without access token).
  • September 1: All apps must migrate to OAuth 2.0 and expect an encrypted access token.
  • October 1: All Canvas apps must process signed_request (fb_sig will be removed) and obtain an SSL certificate (unless you are in Sandbox mode). This will ensure that users browsing Facebook over HTTPS will have a great experience over a secure connection.

To learn more about the now-fixed flaw, please check out my previous article: Facebook apps have been accidentally leaking user data for years. The most important thing to note is that both Facebook and Symantec made sure the issue was fixed before disclosing the flaw publicly.