The Ugly Side Of The Cloud, Facebook Access Vulnerability Uncovered

Martin Brinkmann
May 11, 2011
Updated • Dec 14, 2014

Security has been one of the top topics of the last 30 days. We have had the Last Pass incident and the Sony PSN hack. Both incidents demonstrated that your data may be at risk, even if you play by the book and use the best security practices available.

If you thought that's all for this month, then you have been wrong. Symantec yesterday revealed that they uncovered an access vulnerability on Facebook which may date back to 2007.

Facebook applications, in certain cases, leaked access tokens to third parties. Access tokens are used by applications to act on behalf of the user, for instance by posting to the user's wall. With those access tokens at their disposal, advertisers and companies were theoretically able to perform operations on the user's behalf, which could include accessing friend's profiles, even if they are blocked from the public, posting to a user's wall, chats or photos.

Symantec estimates that close to 100,000 Facebook applications leak those access token. Third party applications were introduced by Facebook in 2007, and Symantec estimates that the vulnerability has been there from day one.

According to Symantec, it is unlikely that companies have discovered the vulnerability, which makes exploitation unlikely but not impossible.

Facebook seems to have fixed the access vulnerability in the meantime. That does not mean that Facebook accounts are safe right away, considering that access tokens do not expire right away.

Most access tokens expire after some time. Applications can however request offline access during installation which sets an access token that does not expire on its own. The only way around this is to invalidate that access token by changing the account password.

Facebook recently announced the migration to OAUTH 2.0 for all applications. Application developers have until September 1 to change the authentication scheme of their applications to OAUTH 2.0.

It may be a good time to change your Facebook password if you are using or have used third party applications on Facebook.

Melanies take

Once Again, You May Be Sharing More Than You Intended on Facebook

Facebook’s privacy record hasn’t exactly been stellar. In the past, however, the negative press Facebook has received over its privacy fiascos has been due to a changed setting or a policy switch. Now, though, Facebook is once again under fire, this time due to leaky security.

In the past, Facebook has been criticized because of its attitude toward privacy. It is increasingly obvious that Facebook’s intent is to make sure as many people share as much as is possible. There has been a noticeable shift over the past five years. In the beginning, Facebook made your personal information private and under your control by default. Now, all of your data is as wide open as it can be by default. If you want to make your data more private, it isn’t quite as easy as one, two, and three. For the average user, it is difficult to navigate your way through the pages of privacy settings.

To be fair to Facebook, this time, the problem wasn’t a deliberate attempt to make more of your personal data public. It is an accidental leak of your data to third parties.

You know those apps that are so popular? The ones that add functionality to the Facebook ecosystem for everything from games to shopping? Well, according to security firm Symantec, it turns out that since Facebook apps were introduced in 2007, they’ve been leaking your information to third parties.

The leak involves access tokens. These are given to the apps you use so that they can access your user data. The apps need them to access and post on your wall, see your friends’ profiles, and see the personal information they need to function. Symantec says that by accident, over 100 thousand applications may have leaked millions of access tokens to third parties.

Facebook reassures its users that there have been no negative consequences of the potentially leaked user information, and that no private data has been leaked to third parties. Symantec notes that although it’s possible third parties didn’t even know they could access the information, the repercussions of the leak could be extensive.

Symantec made Facebook aware of the problem in mid April, and Facebook said that as of Tuesday there was no longer an issue, and the leak had been fixed.
This isn’t the first time Facebook has learned that apps might be sharing info with third parties, intentionally or not. Last fall, Facebook suspended some apps for doing exactly that.

Facebook, once again, might have been sharing more of your data with people you don’t necessarily want to see it. At least this time it’s by accident, and it’s something that can be fixed. Still it’s yet one less reason to trust Facebook’s privacy.

Is the Facebook privacy issue a big one for you? Do you consider your data yours, or are you of the opinion that if you’re sharing something online, it’s in public anyway? What are your thoughts?


Tutorials & Tips

Previous Post: «
Next Post: «


  1. 13 said on May 13, 2011 at 1:52 am

    even if you play by the book and use the best security practices available.

    1. 13 said on May 13, 2011 at 1:53 am

      PSN?? Seriouslly?? LOL!

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.