According to a security researcher at Symantec, some Facebook applications are inadvertently revealing personal user information to third parties. Symantec security researcher Nishant Doshi posted details of the vulnerability in the Symantec Security Response blog yesterday.
In his post, Doshi explains that Facebook applications -- primarily those using older authentication technologies than OAuth 2.0, which is what Facebook now uses by default -- could have leaked access tokens to many third parties, tokens that could give unauthorized access to parts of your Facebook account.
Doshi explains the specifics of the vulnerability in more detail in his post:
Access tokens are like ‘spare keys’ granted by you to the Facebook application. Applications can use these tokens or keys to perform certain actions on behalf of the user or to access the user’s profile. Each token or ‘spare key’ is associated with a select set of permissions, like reading your wall, accessing your friend’s profile, posting to your wall, etc....by default, most access tokens expire after a short time, however the application can request offline access tokens which allow them to use these tokens until you change your password, even when you aren’t logged in.
Doshi communicated the details of the vulnerability (discovered by Doshi and fellow Symantec security researcher Candid Wuesst) to Facebook. A post by Naitik Shah on the Facebook developer blog confirms that Facebook is working with Symantec to address the issue, and has updated their Facebook developer roadmap to require all Facebook third-party websites and applications to migrate to the OAuth 2.0 standard by October 1st, 2011.
This news also serves as a reminder for IT pros to revisit their social media management and security policies and ensure that users are regularly changing their social media passwords and being careful about which applications they permit to access their Facebook information.
Does this news make you more concerned about security issues with social media platforms like Facebook, Twitter, and Linkedin? Let me know what you think by commenting on this blog post or following me on Twitter.Follow Jeff James on Twitter at @jeffjames3
Follow Windows IT Pro on Twitter at @windowsitpro