14 DAY TRIAL // Hundreds of thousands of Facebook applications have exposed people's accounts to advertisers over the years by leaking a sensitive piece of information that enabled access to them.
According to security researchers from Symantec who identified the problem and notified Facebook back in April, the apps leaked account access tokens to third-party partners.
These tokens are used by the apps themselves to read information from people's accounts, access the profiles of their friends, post on their walls and perform other operations permitted by users on installation.
"Access tokens are like ‘spare keys’ granted by you to the Facebook application. Applications can use these tokens or keys to perform certain actions on behalf of the user or to access the user’s profile," Facebook's Nishant Doshi explains.
The tokens normally expire after a certain time, with the exception of those for offline access which are only reset when the account password is changed.
It seems that applications who switched to the new OAuth 2.0 authentication model are not affected by this data leak bug.
Symantec estimates that in April 2011 there were as many as 100,000 apps leaking access tokens, but the number of applications that used to do this before being upgraded is probably much larger.
There is no evidence that advertisers or other third-parties even realized that this was happening or abused the token, however, this possibility cannot be dismissed.
Meanwhile, Facebook downplayed the issue. "We've conducted a thorough investigation which revealed no evidence of this issue resulting in a user's private information being shared with unauthorized third parties," a company spokesperson told The Wall Street Journal.
Nevertheless, the company is determined to fix it and today announced that all apps using the old Connect auth method are required to migrate to OAuth 2.0 until September 1.