Feeds

Facebook caught exposing millions of user credentials

App bug overrides user privacy settings

Build a business case: developing custom apps

Facebook has leaked access to millions of users' photographs, profiles and other personal information because of a years-old bug that overrides individual privacy settings, researchers from Symantec said.

The flaw, which the researchers estimate has affected hundreds of thousands of applications, exposed user access tokens to advertisers and others. The tokens serve as a spare set of keys that Facebook apps use to perform certain actions on behalf of the user, such as posting messages to a Facebook wall or sending RSVP replies to invitations. For years, many apps that rely on an older form of user authentication turned over these keys to third parties, giving them the ability to access information users specifically designated as off limits.

The Symantec researchers said Facebook has fixed the underlying bug, but they warned that tokens already exposed may still be widely accessible.

“There is no good way to estimate how many access tokens have already been leaked since the release [of] Facebook applications back in 2007,” Symantec's Nishant Doshi wrote in a blog post published on Tuesday. “We fear a lot of these tokens might still be available in log files of third-party servers or still being actively used by advertisers.”

While many access tokens expire shortly after they're issued, Facebook also supplies offline access tokens that remain valid indefinitely. Facebook users can close this potential security hole by changing their passwords, which immediately revokes all previously issued keys.

The flaw resides in an authentication scheme that predates the roll out of a newer standard known as OAUTH. Facebook apps that rely on the legacy system and use certain commonly used code variables will leak access tokens in URLs that are automatically opened by the application host. The credentials can then be leaked to advertisers or other third parties that embed iframe tags on the host's page.

“The Facebook application is now in a position to inadvertently leak the access tokens to third parties potentially on purpose and unfortunately very commonly by accident,” Doshi wrote. “In particular, this URL, including the access token, is passed to third-party advertisers as part of the referrer field of the HTTP requests.”

A Facebook spokeswoman said there is no evidence the weakness has been exploited in ways that would violate the social network's privacy policy, which steadfastly promises: “We never share your personal information with our advertisers.” Facebook on Tuesday also announced it was permanently retiring the old authentication routine.

Doshi, who was assisted by fellow researcher Candid Wueest, said there's no way to know precisely how many apps or Facebook users were affected by the glitch. They estimate that as of last month, almost 100,000 applications were enabling the leakage and that over the years “hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties.”

Facebook over the years has regularly been criticized for compromising the security of its users, which now number more than 500 million. The company has rolled out improvements, such as always-on web encryption, although users still must be savvy enough to turn it on themselves, since the SSL feature isn't enabled by default.

As indicated above, all previously issued access tokens can be cleared by changing your Facebook password. Readers who aren't sure if they're affected might want to err on the side of security and update their password now. ®

Endpoint data privacy in the cloud is easier than you think

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Multipath TCP speeds up the internet so much that security breaks
Black Hat research says proposed protocol will bork network probes, flummox firewalls
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
Microsoft's Euro cloud darkens: US FEDS can dig into foreign servers
They're not emails, they're business records, says court
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
prev story

Whitepapers

7 Elements of Radically Simple OS Migration
Avoid the typical headaches of OS migration during your next project by learning about 7 elements of radically simple OS migration.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Solving today's distributed Big Data backup challenges
Enable IT efficiency and allow a firm to access and reuse corporate information for competitive advantage, ultimately changing business outcomes.
A new approach to endpoint data protection
What is the best way to ensure comprehensive visibility, management, and control of information on both company-owned and employee-owned devices?