+ Reply to Thread
Results 1 to 2 of 2

Thread: Facebook Apps Accidentally Leaking Access to Third Parties

  1. 11.05.11, 04:56 #1
    Resurrection
    Resurrection is offline
    Resurrection's Avatar
    Join Date
    24.07.10
    Posts
    1,002
    Activity Longevity
    0/20 16/20
    Today Posts
    0/5 sssss1002

    Facebook Apps Accidentally Leaking Access to Third Parties

    Facebook Applications Accidentally Leaking Access to Third Parties | Symantec Connect Community


    ------------------------

    Third parties, in particular advertisers, have accidentally had access to Facebook users’ accounts including profiles, photographs, chat, and also had the ability to post messages and mine personal information. Fortunately, these third-parties may not have realized their ability to access this information. We have reported this issue to Facebook, who has taken corrective action to help eliminate this issue.

    Facebook applications are Web applications that are integrated onto the Facebook platform. According to Facebook, 20 million Facebook applications are installed every day.

    Symantec has discovered that in certain cases, Facebook IFRAME applications inadvertently leaked access tokens to third parties like advertisers or analytic platforms. We estimate that as of April 2011, close to 100,000 applications were enabling this leakage. We estimate that over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties.

    Access tokens are like ‘spare keys’ granted by you to the Facebook application. Applications can use these tokens or keys to perform certain actions on behalf of the user or to access the user’s profile. Each token or ‘spare key’ is associated with a select set of permissions, like reading your wall, accessing your friend’s profile, posting to your wall, etc.

    ---------------

    The post describes how some of the permissions of the apps are invasive and allow token access.Certain requests in these malicious apps cause Facebook to respond in such a way that it allows third-parties to gain acess to private information of the user no matter what privacy settings have been used.

    Now Facebook was notified of this issue and they did confirm this leakage. They have now made some changes on their end to prevent these tokens from getting leaked.

    Nishant writes "There is no good way to estimate how many access tokens have already been leaked since the release Facebook applications back in 2007. We fear a lot of these tokens might still be available in log files of third-party servers or still being actively used by advertisers. Concerned Facebook users can change their Facebook passwords to invalidate leaked access tokens. Changing the password invalidates these tokens and is equivalent to “changing the lock” on your Facebook profile."

    Another day,Another news about how Facebook has ruined your privacy and personal space.
    Reply With QuoteReply With Quote
    Thanks
  2. 11.05.11, 12:28 #2
    takomania
    takomania is offline
    Join Date
    18.12.07
    Location
    .:under your bed:.
    Posts
    296
    Activity Longevity
    0/20 20/20
    Today Posts
    0/5 ssssss296
    accidently or on purpose?

    nice releated talk here from the defcon 18 security convention:

    Reply With QuoteReply With Quote
    Thanks
+ Reply to Thread
« Previous Thread | Next Thread »

Tags for this Thread

Bookmarks

Posting Permissions

  • You may post new threads
  • You may post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules

Page generated in 1.4274 seconds with 25 queries.