Facebook Apps Give Advertisers Access to People's Accounts

[Jack]

Hundreds of thousands of Facebook applications have exposed people's accounts to advertisers over the years by leaking a sensitive piece of information that enabled access to them.

According to security researchers from Symantec who identified the problem and notified Facebook back in April, the apps leaked account access tokens to third-party partners.

These tokens are used by the apps themselves to read information from people's accounts, access the profiles of their friends, post on their walls and perform other operations permitted by users on installation.

"Access tokens are like ‘spare keys’ granted by you to the Facebook application. Applications can use these tokens or keys to perform certain actions on behalf of the user or to access the user’s profile," Facebook's Nishant Doshi explains.

The tokens normally expire after a certain time, with the exception of those for offline access which are only reset when the account password is changed.

It seems that applications who switched to the new OAuth 2.0 authentication model are not affected by this data leak bug.

Symantec estimates that in April 2011 there were as many as 100,000 apps leaking access tokens, but the number of applications that used to do this before being upgraded is probably much larger.

More details - link

 

[Jack]

facebook has a long history of breaching user confidentiality and the excuse is always the same : “ it was an accident”.....

 

[Ink]

It's time for Facebook to go. Just saying.

I think all the people behind Facebook including the CEO should have no locks on their houses, cars and all their FB Profiles open to everyone.

 

[LoftedAphid86]

Facebook practically gives away maps to your town and keys to your house to those with a reason to kill, this is nothing new. You may as well just shout really loud to all of your friends, it would have less privacy issues.
Twitter is the future!
Or even e-mails.