Wednesday, May 04, 2016
Search
  
Submit your own News for
inclusion in our Site.
Click here...
Breaking News
Sony Releases New Home Audio Products
HDD Sales Fall, Capacities Rise
Sony's Future Camera Could Be in The Form Of A Contact Lens
HP Refreshes The Pavilion PC Line-up
Intel and Oculus Bring Virtual Reality to Best Buy Stores
NVIDIA And Samsung Agree to Settle IP Litigation
Samsung Develops 3rd Generation 14-Nano FinFET Low-power Process
IE Loses Top Web Browser Spot to Chrome
Active Discussions
Which of these DVD media are the best, most durable?
How to back up a PS2 DL game
Copy a protected DVD?
roxio issues with xp pro
Help make DVDInfoPro better with dvdinfomantis!!!
menu making
Optiarc AD-7260S review
cdrw trouble
 Home > News > General Computing > Faceboo...
Last 7 Days News : SU MO TU WE TH FR SA All News

Wednesday, May 11, 2011
Facebook Apps Leaking Access to Advertisers


Facebook users' personal information could have been accidentally leaked to advertisers over the past few years, according to Symantec.

Third parties, in particular advertisers, have accidentally had access to Facebook users' accounts including profiles, photographs, chat, and also had the ability to post messages and mine personal information, Symantec said in its blog.

"Fortunately, these third-parties may not have realized their ability to access this information," the security firm added. Symantec has reported this issue to Facebook, who has taken corrective action to help eliminate this issue.

Facebook applications are Web applications that are integrated onto the Facebook platform. According to Facebook, 20 million Facebook applications are installed every day.

Symantec has discovered that in certain cases, Facebook IFRAME applications inadvertently leaked access tokens to third parties like advertisers or analytic platforms. The company estimates that as of April 2011, close to 100,000 applications were enabling this leakage.

"We estimate that over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties," Symantec said.

Access tokens are like 'spare keys' granted by users to the Facebook application. Applications can use these tokens or keys to perform certain actions on behalf of the user or to access the user?s profile. Each token or 'spare key' is associated with a select set of permissions, like reading a users' wall, accessing his or her friend?s profile, posting to a wall, etc.

"During the application installation process, the application requests the user to grant permissions to these actions. Upon granting these permissions, the application gets an access token. Using this access token, the application can now access the user's information or perform actions on behalf of the user," Symantec explained.

By default, most access tokens expire after a short time, however the application can request offline access tokens which allow them to use these tokens until users change their passwords, even when they aren't logged in.

By default, Facebook now uses OAUTH2.0 for authentication. However, older authentication schemes are still supported and used by hundreds of thousands of applications. When a user visits apps.Facebook.com/appname, Facebook first sends the application a limited amount of non-identifiable information about the user, such as their country, locale and age bracket. Using this information, the application can personalize the page.

The application then needs to redirect the user to a permission dialog page. The application uses a client-side redirect for redirecting the user to the familiar application permission dialog box. This indirect leak could happen if the application uses a legacy Facebook API and has the following deprecated parameters, "return_session=1" and "session_version=3", as part of their redirect code. If these parameters are used, Facebook subsequently returns the access token by sending an HTTP request containing the access tokens in the URL to the application host.

The Facebook application is now in a position to inadvertently leak the access tokens to third parties potentially on purpose and unfortunately very commonly by accident. In particular, this URL, including the access token, is passed to third-party advertisers as part of the referrer field of the HTTP requests.

"Needless to say, the repercussions of this access token leakage are seen far and wide. Facebook was notified of this issue and has confirmed this leakage. Facebook notified us of changes on their end to prevent these tokens from getting leaked," Symantec said.

Symantec suggests concerned Facebook users to change their Facebook passwords to invalidate leaked access tokens.

Facebook has recently announced an update to their Developer RoadMap. The details of this update can be found here: https://developers.facebook.com/blog/post/497

Facebook has more than 500 million users and is challenging Google and Yahoo for users' time online and for advertising dollars.


Previous
Next
Pioneer To Use Live Camera Footage In Car Navigation Systems        All News        Samsung Tape Outs 32nm And 28nm Chips
Google Puts Aside $500 Million For Advertising Probe     General Computing News      Infineon Purchases Manufacturing Facilities from Qimonda

Get RSS feed Easy Print E-Mail this Message

Related News
Facebook Reports Strong First Quarter 2016 Results
Facebook Is Developing Snapchat-like App: report
Facebook To Show You More Articles You Want to Spend Time Viewing
Facebook Says Artificial Intelligence Is The Future
Facebook Advances The Messenger Platform, Announces 360-degree Video Camera at F8
Facebook is Adding New Ways to Create, Share and Discover Live Video
Artificial Intelligence to Help Blind People 'See' Facebook
Facebook's 'Safety Check' Enabled In Wrond COuntries After Lahore Blast
Facebook To Pay More British Tax
Court Says Facebook Has The Right To Block Users With Pseudonyms
Facebook Faces Competition Probe In Germany
Facebook To Pay $109,000 For Breaking IP Rules

Most Popular News
 
Home | News | All News | Reviews | Articles | Guides | Download | Expert Area | Forum | Site Info
Site best viewed at 1024x768+ - CDRINFO.COM 1998-2016 - All rights reserved -
Privacy policy - Contact Us .