The Ugly Side of the Cloud – Facebook Access Vulnerability Uncovered

These things always seem to come in threes for some odd reason …

Security has been one of the top topics of the last 30 days. We have had the Last Pass incident and the Sony PSN hack. Both incidents demonstrated that your data may be at risk, even if you play by the book and use the best security practices available.

If you thought that’s all for this month, then you have been wrong. Symantec yesterday revealed that they uncovered an access vulnerability on Facebook which may date back to 2007.

Facebook applications, in certain cases, leaked access tokens to third parties. Access tokens are used by applications to act on behalf of the user, for instance by posting to the user’s wall. With those access tokens at their disposal, advertisers and companies were theoretically able to perform operations on the user’s behalf, which could include accessing friend’s profiles, even if they are blocked from the public, posting to a user’s wall, chats or photos.

Symantec estimates that close to 100,000 Facebook applications leak those access token. Third party applications were introduced by Facebook in 2007, and Symantec estimates that the vulnerability has been there from day one.


According to Symantec, it is unlikely that companies have discovered the vulnerability, which makes exploitation unlikely but not impossible.

Facebook seems to have fixed the access vulnerability in the meantime. That does not mean that Facebook accounts are safe right away, considering that access tokens do not expire right away.

Most access tokens expire after some time. Applications can however request offline access during installation which sets an access token that does not expire on its own. The only way around this is to invalidate that access token by changing the account password.

Facebook recently announced the migration to OAUTH 2.0 for all applications. Application developers have until September 1 to change the authentication scheme of their applications to OAUTH 2.0.

It may be a good time to change your Facebook password if you are using or have used third party applications on Facebook.

© Martin Brinkmann for gHacks Technology News | Latest Tech News, Software And Tutorials, 2011. |
Permalink |
Add to,

Post tags: , ,

Link to Original Content

Tags: , ,

Comments are closed.