Facebook applications are Web applications that are integrated onto the Facebook platform. According to Facebook, 20 million Facebook applications are installed every day. “Some third parties, in particular advertisers, have accidentally had access to Facebook users’ accounts including profiles, photographs, chat, and also had the ability to post messages and mine personal information. Fortunately, these third-parties mayn’t have realized their ability to access this information,” revealed Symantec.
Symantec explains, the access tokens are similar to handing out “spare keys” for third parties to access your profile. The issue occurs for older Facebook applications that don’t use OAUTH 2.0 for authentication, instead using a deprecated method by passing “return_session=1” and “session_version=3” as parameters in a redirect URL. Facebook would then return a token back to the sender, and the application would then proceed to gather information for its usage.
The problem is if some applications have a hidden IFRAME whereby the URL containing the above parameters was passed back to a third party in the referrer field. By obtaining the URL, other unwanted companies can also obtain that same access token, and now have the same level of access as that granted to the application the user gave consent to.
Symantec estimate that as of April 2011, close to 100,000 apps were enabling this leakage. “We estimate that over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties,” said Symantec.
Symantec recommends concerned users should change their Facebook passwords to force applications to request a new access token. In addition, it would be wise for users to watch which applications they grant access to.
Facebook on their Developer blog stated that “the deprecated form of authentication will be removed on September 1 of this year, and all apps must migrate to OAuth 2.0 and expect an encrypted access token.”