Computer security firm Symantec reported this week that Facebook, by granting ‘access tokens’ via its Facebook apps, has exposed the private data of millions of Facebook members to third parties over the last four years. It is not clear how many Facebook members may have had their privacy invaded because many or most third parties may not have been aware of the flaw.
Symantec alerted Facebook to the problem and the social networking giant, which has come under severe criticism over privacy issues in the recent past, took immediate action to remedy the glaring security hole. However, some users may still need to change their passwords in order to make sure access to their personal data is not allowed, because some of the access tokens do not expire until this is done.
Symantec explained that for the last four years, third parties have had access to Facebook members’ age, sex, and other personal data, but also their profiles, pictures, and chats. Symantec also said that third parties could post messages to members’ walls.
Symantec estimates that as of April, 2011, 100,000 Facebook applications had given out access tokens which gave third parties like advertisers and analytic platforms access to Facebook members’ personal information. The leakage occurred when users installed an application on their Facebook account, with what appeared to be an innocuous looking pop up box asking the user to grant the application the ability to see personal information and make wall posts, and other permissions.
Facebook has been giving out these access tokens to third parties since 2007 when it launched third party applications. Most of the tokens expire in a short time frame but offline access tokens allow third parties to access personal information when the member is offline, and these do not expire until their password is changed.
Symantec said the repercussions of the security leak through the access tokens are clearly wide ranging. “Facebook was notified of this issue and has confirmed this leakage. Facebook notified us of changes on their end to prevent these tokens from getting leaked.”
A Facebook spokesman said it has so far seen no evidence that unauthorized third parties were given private information as a result of the security problem, and noted that there are “contractual obligations of advertisers and developers which prohibit them from obtaining or sharing user information in a way that violates our policy.”