Facebook Apps Leak Private Info, Again
Facebook is in the hot seat again after security researchers determined that hundreds of thousands of apps accidentally leak sensitive user information to third parties.
The issue stems from a software flaw that transmits users' access tokens (essentially a "spare key" that stores your account information) to outside parties, including app developers, advertisers and tracking companies, Nishant Doshi at the security firm Symantec wrote.
With this spare key, a third party can access your profile, photographs, chat logs, comb through your account for personal information, and even pose as you and post messages and communicate with your friends.
Doshi said that last month, nearly 100,000 apps were leaking user info, and that "there is no good way to estimate how many tokens have already been leaked" since Facebook started offering apps in 2007.
Facebook was notified of the software vulnerability.
With more than 500,000 apps currently available on Facebook, the repercussions of this security snafu could be severe.
"We fear a lot of these tokens might still be available in log file of third-party servers or still being actively used by advertisers," Doshi said, urging Facebook users to change their passwords to "invalidate leaked access tokens."
Unfortunately for Facebook, this is a recurring problem.
Last October, it came to light that many popular Facebook apps, including FarmVille and MafiaWars, leak users' info to advertisers and Internet tracking firms.
There are changes on the horizon, however, designed to make Facebook apps less of a security threat.
A post yesterday (May 10), on Facebook's Developer Blog explains that by Oct. 1, all app developers will be required to make their apps accessible via a secure, encrypted HTTPS connection. As it stands now, Facebook itself can be accessed via HTTPS, but apps aren't required to support the connection.