Third parties, in particular advertisers, have accidentally had access
to Facebook users’ accounts including profiles, photographs, chat, and
also had the ability to post messages and mine personal information.
Fortunately, these third-parties may not have realized their ability
to access this information. We have reported this issue to Facebook,
who has taken corrective action to help eliminate this issue.
Facebook applications are Web applications that are integrated onto
the Facebook platform. According to Facebook, 20 million Facebook
applications are installed every day.
Symantec has discovered that in certain cases, Facebook IFRAME
applications inadvertently leaked access tokens to third parties like
advertisers or analytic platforms. We estimate that as of April 2011,
close to 100,000 applications were enabling this leakage. We estimate
that over the years, hundreds of thousands of applications may have
inadvertently leaked millions of access tokens to third parties.
Access tokens are like ‘spare keys’ granted by you to the Facebook
application. Applications can use these tokens or keys to perform
certain actions on behalf of the user or to access the user’s profile.
Each token or ‘spare key’ is associated with a select set of
permissions, like reading your wall, accessing your friend’s profile,
posting to your wall, etc.
No comments:
Post a Comment