Facebook gives advertisers access to millions of user accounts

For the last four years, Facebook has inadvertently been giving advertisers and other third parties access to user accounts and personal information.

The security flaw has arisen through Facebook applications, which in some cases shared their ‘access tokens’ with advertisers and analytic platforms. It gave these third parties the ability to access profiles, photos and chat, as well as allowing them to post messages and mine personal information.

“We estimate that as of April 2011, close to 100,000 applications were enabling this leakage,” says Nishant Doshi of Symantec. “We estimate that over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties.”

Facebook now uses OAUTH2.0 for authentication. However, according to Symantec, hundreds of thousands of applications still use older authentication schemes. With these, facebook first sends the application certain non-identifiable information about the user, such as their location and age bracket, allowing the application to personalize the page. The application then uses a client-side redirect to redirect the user to the application permission dialog box.

“This indirect leak could happen if the application uses a legacy Facebook API and has the following deprecated parameters, “return_session=1” and “session_version=3″, as part of their redirect code,” says Doshi.

“If these parameters are used, Facebook subsequently returns the access token by sending an HTTP request containing the access tokens in the URL to the application host.”

 This means that the Facebook application is now in a position to inadvertently leak the access tokens to third parties – “potentially on purpose and unfortunately very commonly by accident,” says Doshi.

Facebook has acknowledged the flaw, and says it’s making changes to close the loophole. Last night, it updated its Developer Roadmap to require that all sites and apps migrate to OAuth 2.0, process the signed_request parameter, and obtain an SSL certificate by October 1.

Unfortunately, of course, this doesn’t deal with the fact that a massive number of access tokens have already been leaked, and many may still be available in log files of third-party servers or being actively used by advertisers.

“Concerned Facebook users can change their Facebook passwords to invalidate leaked access tokens. Changing the password invalidates these tokens and is equivalent to ‘changing the lock’ on your Facebook profile,” says Doshi.