Symantec: Facebook Revealing User Data to Third Parties

RSS

According to a security researcher at Symantec, some Facebook applications are inadvertently revealing personal user information to third parties. Symantec security researcher Nishant Doshi posted details of the vulnerability in the Symantec Security Response blog yesterday.

In his post, Doshi explains that Facebook applications -- primarily those using older authentication technologies than OAuth 2.0, which is what Facebook now uses by default -- could have leaked access tokens to many third parties, tokens that could give unauthorized access to parts of your Facebook account.

Doshi explains the specifics of the vulnerability in more detail in his post:

Access tokens are like ‘spare keys’ granted by you to the Facebook application. Applications can use these tokens or keys to perform certain actions on behalf of the user or to access the user’s profile. Each token or ‘spare key’ is associated with a select set of permissions, like reading your wall, accessing your friend’s profile, posting to your wall, etc....by default, most access tokens expire after a short time, however the application can request offline access tokens which allow them to use these tokens until you change your password, even when you aren’t logged in.

Doshi communicated the details of the vulnerability (discovered by Doshi and fellow Symantec security researcher Candid Wuesst) to Facebook. A post by Naitik Shah on the Facebook developer blog confirms that Facebook is working with Symantec to address the issue, and has updated their Facebook developer roadmap to require all Facebook third-party websites and applications to migrate to the OAuth 2.0 standard by October 1st, 2011.

This news also serves as a reminder for IT pros to revisit their social media management and security policies and ensure that users are regularly changing their social media passwords and being careful about which applications they permit to access their Facebook information.

Does this news make you more concerned about security issues with social media platforms like Facebook, Twitter, and Linkedin? Let me know what you think by commenting on this blog post or following me on Twitter.

Follow Jeff James on Twitter at @jeffjames3

Follow Windows IT Pro on Twitter at @windowsitpro

Related Content:

Discuss this Blog Entry 4

on May 12, 2011
Ah, the irony in your last statement... :-)

<<<
Does this news make you more concerned about security issues with social media platforms like Facebook, Twitter, and Linkedin?
Let me know what you think by commenting on this blog post or following me on Twitter. Follow Jeff James on Twitter at @jeffjames3
>>>










on May 11, 2011
There are still other nefarious groups who would just use the roadmap to circumvent the security. The best thing to do is to use common sense. There are no way one can tell who visited your profile, no way to see what the father saw, etc. Just use plain old good common sense when dealing with apps that are promising everything under the moon, stars, sun and universe but really are snake oils.
on May 12, 2011
>> Ah, the irony in your last statement... :-)

Ha! Too true. Maybe I need to post a disclaimer alongside that from now on... :)

on May 11, 2011
Fran,

Well said. Good advice for everyone to follow!

- Jeff



Please or Register to post comments.

What's Security Blog?

Security news, views, product reviews, and solutions for Microsoft Windows IT professionals.

Blog Archive

Sponsored Introduction Continue on to (or wait seconds) ×