Facebook Apps Leak Private Info, Again

Matt Liebowitz, SecurityNewsDaily Staff Writer
May 11 2011 11:29 AM ET

Facebook is in the hot seat again after security researchers determined that hundreds of thousands of apps accidentally leak sensitive user information to third parties.

The issue stems from a software flaw that transmits users' access tokens (essentially a "spare key" that stores your account information) to outside parties, including app developers, advertisers and tracking companies, Nishant Doshi at the security firm Symantec wrote.

With this spare key, a third party can access your profile, photographs, chat logs, comb through your account for personal information, and even pose as you and post messages and communicate with your friends.

Doshi said that last month, nearly 100,000 apps were leaking user info, and that "there is no good way to estimate how many tokens have already been leaked" since Facebook started offering apps in 2007.

Facebook was notified of the software vulnerability.

With more than 500,000 apps currently available on Facebook, the repercussions of this security snafu could be severe.

"We fear a lot of these tokens might still be available in log file of third-party servers or still being actively used by advertisers," Doshi said, urging Facebook users to change their passwords to "invalidate leaked access tokens."

Unfortunately for Facebook, this is a recurring problem.

Last October, it came to light that many popular Facebook apps, including FarmVille and MafiaWars, leak users' info to advertisers and Internet tracking firms.

There are changes on the horizon, however, designed to make Facebook apps less of a security threat.

Video
Big Bucks for Instagram; 13” Tablet? Nokia’s Pres. Talks Lumia – SpoonFed Mobile Ep.#5 | Video
Big Bucks for Instagram; 13” Tablet? Nokia’s Pres. Talks Lumia – SpoonFed Mobile Ep.#5 | Video
LAPTOPmag’s Mark Spoonauer gives his thoughts on the buyout of Instagram, asks how big is too big for a table and talks Lumia with the president of Nokia.
View Video

A post yesterday (May 10), on Facebook's Developer Blog explains that by Oct. 1, all app developers will be required to make their apps accessible via a secure, encrypted HTTPS connection. As it stands now, Facebook itself can be accessed via HTTPS, but apps aren't required to support the connection.

identity-theft-protection-service

Video
Review: Spotify -- Feed your need for tunes anywhere, and (largely) for free
Review: Spotify -- Feed your need for tunes anywhere, and (largely) for free
Facebook Changes ...Again
Facebook Changes ...Again
Review: Facebook... for people who don’t know Facebook.
Review: Facebook... for people who don’t know Facebook.
Goodbye Steve Jobs!
Goodbye Steve Jobs!
Company Company Info About the Site Contact Us Advertise with Us Using our Content Licensing & Reprints Privacy Policy Sitemap
Network TopTenREVIEWS LiveScience SPACE.com LaptopMag TechNewsDaily Newsarama BusinessNewsDaily Herman Street
Follow TechNewsDaily Join Our Mailing List
Copyright © 2013 All Rights Reserved.