May 16, 2011

Symantec Warns Facebook Users

May 16, 2011. Cyberspace. Software security company Symantec warned the internet world that a security breech at Facebook had given third parties access to Facebook users’ pages, personal information and accounts. Facebook immediately announced that the hole had been plugged. Symantec however warns that Facebook users must change their password now, much like changing the locks on your house when your keys have been stolen.

The opening was so bad, intruders could access users’ accounts, post on their wall, send messages posing as the actual user and download pictures, videos and other material, Symantec said in their statement:

“Third parties, in particular advertisers, have accidentally had access to Facebook users’ accounts including profiles, photographs, chat, and also had the ability to post messages and mine personal information. Fortunately, these third-parties may not have realized their ability to access this information. We have reported this issue to Facebook, who has taken corrective action to help eliminate this issue.

We estimate that as of April 2011, close to 100,000 applications were enabling this leakage. We estimate that over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties. Access tokens are like ‘spare keys’ granted by you to the Facebook application. Applications can use these tokens or keys to perform certain actions on behalf of the user or to access the user’s profile. Each token or ‘spare key’ is associated with a select set of permissions, like reading your wall, accessing your friend’s profile, posting to your wall, etc”.

Is there a threat to the average Facebook user? According to Symantec, yes. They explain, “There is no good way to estimate how many access tokens have already been leaked since the release of Facebook applications back in 2007. We fear a lot of these tokens might still be available in log files of third-party servers or still being actively used by advertisers. Concerned Facebook users can change their Facebook passwords to invalidate leaked access tokens. Changing the password invalidates these tokens and is equivalent to “changing the lock” on your Facebook profile”.

Nishant Doshi and Candid Wueest from Symantec are credited with the discovery of this issue.

SUBSCRIBE