Symantec Discovers About 100,000 Facebook Apps Have Been Leaking Personal Data For Years

Posted May 10, 2011

IT security company Symantec Corporation (NASDAQ:SYMC) has discovered that third party Facebook applications have been leaking data of Facebook accounts for years. These apps could see profiles, photos, and chat sessions. The apps also had the ability to post messages and mine personal information. However these third party applications did not know they had access to the information.

Facebook had discovered that Facebook iFrame applications leaked access tokens to third parties. Access tokens are comparable to “spare keys” given to Facebook applications that allows them to do certain things like reading a wall or accessing a profile.

Facebook had leaked the access tokens by “by sending a HTTP request containing the access tokens in the URL to the application host.” The apps would pass on the URL to advertisers. The URLs contained the access token numbers in them. Facebook director of developer relations Douglas Purdy said that when Symantec informed them about the problem, it was fixed. Purdy said:

“We appreciate Symantec raising this issue and we worked with them to address it immediately. Unfortunately, their resulting report has some inaccuracies. Specifically, we’ve conducted a thorough investigation which revealed no evidence of this issue resulting in a user’s private information being shared with unauthorized third parties. In addition, this report ignores the contractual obligations of advertisers and developers which prohibit them from sharing user information in a way that violates our policies.”