Nishant Doshi of Symantec, the maker of Norton security suite, revealed that Facebook may have left a way for third-party firms to potentially access account data of users even when they are offline.
“Third parties, in particular advertisers, have accidentally had access to Facebook users’ accounts including profiles, photographs, chat, and also had the ability to post messages and mine personal information,” wrote Doshi in a blog post dated May 10 on the Symantec site.
According to Doshi, IFRAME Facebook apps “inadvertently leaked access tokens to third parties like advertisers or analytic platforms.” He said that as of April 2011, Symantec estimates that about 100,000 applications were enabling this leakage.
“We estimate that over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties,” he added.
However, a report from Computer World, citing Facebook spokeswoman Malorie Lucich says that the popular social networking site has refuted the severity of the data leak, if there was any.
Lucich reportedly told the publication that “specifically, no private information could have been passed to third parties, and the vast majority of tokens expire within two hours.”
According to Lucich, the Symantec report failed to note that advertisers and developers on Facebook are under contract “which prohibit them from obtaining or sharing user information in a way that violates our policies.”