Symantec Point Outs Facebook Apps Also Leak Data Unintentionally

Image via CrunchBase

Symantec, one of the most trusted security firms, has declared that its engineers have discovered a secretive security flaw in the system of Facebook. It claims that this loophole involuntarily allows the advertisers and other third-party applications to gain unnecessary and unintended access to people's accounts exposing their personal information. Addressing to these claims, Facebook asserting that it has already solved the problem being identified, it further added that it has confirmed and was not able to identify any evidence which would indicate that any private information is being exposed currently, to any kind of third-party except the users and Facebook.

Image via CrunchBase

It was on Tuesday, that Symantec officials made the announcement through their official blog asserting that these third-party app developers might not even be aware that they have this extra access to the users' personal information including their profiles, photos and even chats. Symantec researcher, Nishant Doshi, went on elaborating his theory in the blog post, saying that the root of the problem was leaking "access tokens," which it to give an example he compared with a set of spare keys, allowing the apps developers to access the users profile easily since they have than unnecessary permission. Additionally Doshi mentioned that he his calculations have found that almost 100,000 applications on the Facebook’s platform have this ‘spare key’ access allowing them to access this leaked data since April. He added that this recovery has just been made, it wouldn’t be farfetched to assume that over these years, and any app developer might have used this ‘spare key’ access and even accidentally leaked millions of access tokens to theird-parties.

Even though most of the access tokens easily expire after two hours time period, Doshi pointed out that these applications might also request to use offline access tokens, which will than remain valid unless and until the user actually changes their passwords.

On the contrary, Kevin Haley, director of security at Symantec, also stated that these leaky apps are only those which use an older version of Facebook's authentication method; he admitted that the current updated method has eradicated this problem. Harley claimed that users who are concerned shall just change their Facebook passwords and they would be much safer, though he added that generally users shouldn't be overly worried. He said that "The potential is very large but we have no evidence that anyone did anything with this capability.”

Related articles

• Facebook Leaks Access Tokens, Exposes Private User Data to Advertisers (eweek.com)
• T-Mobile's Latest Branded Service of Bobsled, a Facebook App, Gets Abruptly Suspended in Less Than a Week (samiurrehman92.blogspot.com)
• Quora Temporarily Supports an Unofficial iPhone App as Users Waits an Official Version (samiurrehman92.blogspot.com)