Security experts Symantec has discovered a glitch in Facebook’s settings which allows advertisers access users private pages.
The Social Network has accidently leaked ‘tokens’ to third parties which allowed them look at users profiles, pictures, chat and other private data , according to Nishant Doshi, from Symantec.
Doshi and colleague Candid Wueest first discovered the leak, and over the past 3 years hundreds of thousands of applications uploaded may have inadvertently leaked millions of access tokens to third parties.
The ‘tokens’ generally act as a backup method of accessing information and were leaked when uploading new web applications like games onto its platform.
20 million such apps are uploaded daily, and the breach is said to have been taking place since 2007.
“Third parties, in particular advertisers, have accidentally had access to Facebook users’ accounts including profiles, photographs, chat, and also had the ability to post messages and mine personal information” said Doshi in a blog.
“We estimate that as of April 2011, close to 100,000 applications were enabling this leakage. We estimate that over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties.”
However, luckily, the third-parties which includes ‘advertisers and analytic platforms’ may not have realized their ability to access this information.
“We have reported this issue to Facebook, who has taken corrective action to help eliminate this issue,” Symantec confirmed. “Access tokens are like ‘spare keys’ granted by you to the Facebook application. Applications can use these tokens or keys to perform certain actions on behalf of the user or to access the user’s profile. Each token or ‘spare key’ is associated with a select set of permissions, like reading your wall, accessing your friend’s profile, posting to your wall, etc,” according to the blog.
Facebook also admitted the error, and have notified changes on their end to prevent such leakages from reoccurring.