A discovery that really should not surprise anyone has been made yesterday by Symantec – it turns out that due to to a flaw in the authentication schemes used before the now default OAuth 2.0, Facebook IFRAME applications have been leaking access tokens to third parties such as advertisers or analytic platforms.
What it means is that these third parties had access to users’ accounts and all that is in them – even if the privacy settings shouldn’t have allowed it – and they also had the ability to post messages on the users’ behalf.
Symantec points out that these third parties have likely been unaware of their ability to access that information, but that is hardly comforting.
“Access tokens are like “spare keys’ granted by you to the Facebook application. Applications can use these tokens or keys to perform certain actions on behalf of the user or to access the user’s profile. Each token or “spare key’ is associated with a select set of permissions, like reading your wall, accessing your friend’s profile, posting to your wall, etc,” the researchers explain. “By default, most access tokens expire after a short time, however the application can request offline access tokens which allow them to use these tokens until you change your password, even when you aren’t logged in.”
They estimate that over the years – starting with 2007, when Facebook applications were first introduced – millions of access tokens have been leaked and they think it possible that a great number of these tokens are still available in log files of third-party servers or still being used by advertisers. Luckily for the users, there is a simple way for making these tokens invalid: changing the Facebook password.
According to Symantec, Facebook has already fixed the flaw, but the fact that vulnerabilities like these seemingly pop up in regular intervals make me believe that Facebook is not actively searching for them – that, in fact, they are there because it suits Facebook’s agenda.
On the other hand, Facebook is an extremely complex system, and things like this are inevitable – especially when dealing with legacy technologies. Part of the solution is the company’s announcement that it will be pushing app developers to migrate their apps from the old Facebook authentication system to OAuth 2.0.