Access to hundreds of thousands of Facebook accounts may have accidentally been leaked because of a flaw in some applications.
Security firm Symantec discovered that programs were inadvertently sharing access tokens which could be used by advertisers.
It estimates that, as of last month, 100,000 applications were still enabling leaks.
The flaw, which is fixed now, affected hundreds of thousands of apps before it was discovered by researchers from security company Symantec.
The bug exposed user access tokens to third parties, like advertisers and analytic platforms. The tokens serve as a spare set of keys that Facebook apps use to perform certain actions on behalf of the user or to access the user’s profile. Each token is associated with a select set of permissions, like reading your wall, accessing your friend’s profile, posting to your wall, and so on.
Facebook said that it was improving authentication methods.
"We have been working with Symantec to identity issues in our authentication flow to ensure that they are more secure," Facebook's Naitik Shah wrote in a blog post on Tuesday.
So how did this happen? Well, Facebook by default uses OAUTH2.0 for authentication.
That being said, it looks like the company has not been regularly testing its older authentication schemes, which are still supported and used by hundreds of thousands of apps.
Facebook is now working with third-party developers help migrate them to the OAuth 2.0 system.
Facebook has more than 500 million users and is challenging Google Inc and Yahoo Inc for users' time online and for advertising dollars.
Security firm Symantec discovered that programs were inadvertently sharing access tokens which could be used by advertisers.
It estimates that, as of last month, 100,000 applications were still enabling leaks.
The flaw, which is fixed now, affected hundreds of thousands of apps before it was discovered by researchers from security company Symantec.
The bug exposed user access tokens to third parties, like advertisers and analytic platforms. The tokens serve as a spare set of keys that Facebook apps use to perform certain actions on behalf of the user or to access the user’s profile. Each token is associated with a select set of permissions, like reading your wall, accessing your friend’s profile, posting to your wall, and so on.
Facebook said that it was improving authentication methods.
"We have been working with Symantec to identity issues in our authentication flow to ensure that they are more secure," Facebook's Naitik Shah wrote in a blog post on Tuesday.
So how did this happen? Well, Facebook by default uses OAUTH2.0 for authentication.
That being said, it looks like the company has not been regularly testing its older authentication schemes, which are still supported and used by hundreds of thousands of apps.
Facebook is now working with third-party developers help migrate them to the OAuth 2.0 system.
Facebook has more than 500 million users and is challenging Google Inc and Yahoo Inc for users' time online and for advertising dollars.
No comments:
Post a Comment