A Facebook privacy flaw has led to personal information and photos of users being leaked to third parties.
According to research by Symantec, in certain cases Facebook iframe applications inadvertently leaked access tokens to third parties such as advertisers or analytic platforms. As of last month, it estimated that close to 100,000 applications were enabling this leakage, which could mean that over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties.
Symantec's Nishant Doshi explained that access tokens are ‘spare keys' granted by the user to the Facebook application. The application uses the tokens to perform certain actions on behalf of the user or to access the user's profile. During the application installation process, the application requests the user to grant permissions to these actions and upon granting these permissions, the application gets an access token.
By default, most access tokens expire after a short time. However the application can request offline access tokens that allow them to use these tokens until you change your password, even when you are not logged in.
Facebook now uses Oauth 2.0 for authentication, however older authentication schemes are still supported and used by hundreds of thousands of applications. The application uses a client-side redirect for redirecting the user to the familiar application permission dialog box. This indirect leak could happen if the application uses a legacy Facebook API and has the following deprecated parameters ‘return_session=1' and ‘session_version=3' as part of their redirect code.
“If these parameters are used, Facebook subsequently returns the access token by sending an HTTP request containing the access tokens in the URL to the application host. The Facebook application is now in a position to inadvertently leak the access tokens to third parties potentially on purpose and unfortunately very commonly by accident. In particular, this URL, including the access token, is passed to third-party advertisers as part of the referrer field of the HTTP requests,” Doshi said.
The issue was reported to Facebook, who has confirmed it has changed settings and notified developers of changes to prevent tokens from being leaked.
Catalin Cosoi, head of the BitDefender online threats lab, said: “This episode teaches us all at least two main lessons: applications should have switched to the new authorisation mechanism as soon as possible and if any data was leaked, there is not much to be done now, since it is lost for good.
“Users should pay extra attention in the following months to all the messages they receive and be very careful when they are asked to perform different actions, even though the messages/requests might apparently come from someone they know. Just as they have already been advised, a good way for Facebook users to invalidate their current access tokens is for them to change their passwords.”