Facebook profile access 'leaked' claims Symantec Published duration 11 May 2011

image caption Facebook prompts users to grant third-party access to their profile to power applications

Access to hundreds of thousands of Facebook accounts may have accidentally been leaked because of a flaw in some applications.

Security firm Symantec discovered that programs were inadvertently sharing access tokens which could be used by advertisers.

It estimates that, as of last month, 100,000 applications were still enabling leaks.

Facebook said that it was improving authentication methods.

"We have been working with Symantec to identity issues in our authentication flow to ensure that they are more secure," Facebook's Naitik Shah wrote in a blog post on Tuesday

Spare keys

In his report , Symantec's Nishant Doshi explained how access tokens act "like spare keys" to a Facebook user's account.

These keys were typically given out, with the user's permission, to help applications on the Facebook platform function.

With the keys, applications could access a user's profile and photographs, as well as posting messages on their wall.

However, the newly-discovered weakness in the old authentication method would allow spare keys to be passed to further third-parties - likely to include advertisers - through referral data.

"The Facebook application is now in a position to inadvertently leak the access tokens to third parties potentially on purpose and unfortunately very commonly by accident," explained Mr Doshi.

"We estimate that over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties."

But he downplayed the risk, adding: "Fortunately, these third-parties may not have realised their ability to access this information."

Facebook's director of developer relations Kevin Purdy disputed the findings.

In a statement, he said: "We've conducted a thorough investigation which revealed no evidence of this issue resulting in a user's private information being shared with unauthorised third parties."

"In addition, this report ignores the contractual obligations of advertisers and developers which prohibit them from obtaining or sharing user information in a way that violates our policies."

Less secure

By default, new applications on Facebook are required to authenticate using OAuth 2.0, a shared open standard co-authored by several sites including Google and Twitter.

While older applications are encouraged to change to the new system, it is not yet compulsory.

Facebook is now working with third-party developers help migrate them to the OAuth 2.0 system.

"Because of the number of apps using our legacy auth system, we need to be thoughtful about this transition," wrote Facebook's Naitik Shah.

Paul Mutton, a security analyst at Netcraft, said that while the vulnerability could potentially be used for malicious purposes, no secure data such as passwords has been taken.

"Potentially someone else could post stuff to your stream or to your friends' streams - making you like things that you perhaps wouldn't have liked," he said.

Makers of Facebook applications have been given until 1 September by Facebook to make sure their application uses the OAuth 2.0 system.

"For some applications to continue working, the makers will have to make changes. It's about giving the developers time," added Mr Mutton.

"It shouldn't take too long to make the change. But in the cases of more commercial apps, it's going to be more convoluted."