Facebook caught exposing millions of user credentials
App bug overrides user privacy settings
Facebook has leaked access to millions of users' photographs, profiles and other personal information because of a years-old bug that overrides individual privacy settings, researchers from Symantec said.
The flaw, which the researchers estimate has affected hundreds of thousands of applications, exposed user access tokens to advertisers and others. The tokens serve as a spare set of keys that Facebook apps use to perform certain actions on behalf of the user, such as posting messages to a Facebook wall or sending RSVP replies to invitations. For years, many apps that rely on an older form of user authentication turned over these keys to third parties, giving them the ability to access information users specifically designated as off limits.
The Symantec researchers said Facebook has fixed the underlying bug, but they warned that tokens already exposed may still be widely accessible. “There is no good way to estimate how many access tokens have already been leaked since the release [of] Facebook applications back in 2007,” Symantec's Nishant Doshi wrote in a blog post published on Tuesday. “We fear a lot of these tokens might still be available in log files of third-party servers or still being actively used by advertisers.”