Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
A Facebook privacy flaw has led to personal information and photos of users being leaked to third parties.
According to research by Symantec, in certain cases Facebook iframe applications inadvertently leaked access tokens to third parties such as advertisers or analytic platforms.
As of last month, it estimated that close to 100,000 applications enabled the leakage, which over years could equate to millions of lost access tokens to third parties.
Symantec's Nishant Doshi said that access tokens are ‘spare keys' granted by the user to the Facebook application.
The application uses the tokens to perform certain actions on behalf of the user or to access the user's profile. The application requests the user to grant permissions to these actions during the installation process and obtains an access token.
By default, most access tokens expire after a short time. However the application can request offline access tokens that allow them to use these tokens until a password change, even when you are not logged in.
Facebook now uses Oauth 2.0 for authentication, however older authentication schemes are still supported and used by hundreds of thousands of applications.
The application uses a client-side redirect to point users to the application permission box. This indirect leak could happen if the application uses a legacy Facebook API and has the following deprecated parameters ‘return_session=1' and ‘session_version=3' as part of their redirect code.
“If these parameters are used, Facebook subsequently returns the access token by sending an HTTP request containing the access tokens in the URL to the application host," Doshi said.
"The Facebook application is now in a position to inadvertently leak the access tokens to third parties potentially on purpose and unfortunately very commonly by accident. In particular, this URL, including the access token, is passed to third-party advertisers as part of the referrer field of the HTTP requests."
The issue was reported to Facebook, who has confirmed it has changed settings and notified developers of changes to prevent tokens from being leaked.
This article originally appeared at scmagazineuk.com
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.