The all new
CBS News App for Android® for iPad® for iPhone®
Fully redesigned. Featuring CBSN, 24/7 live news. Get the App

Facebook leaking access info to third parties

Tokens are like "spare keys" that Facebook users grant to applications that allow them to perform actions on their behalf or access their profile.
Symantec
Tokens are like "spare keys" that Facebook users grant to applications that allow them to perform actions on their behalf or access their profile.
Tokens are like "spare keys" that Facebook users grant to applications that allow them to perform actions on their behalf or access their profile.
Symantec

Facebook users should be concerned about their personal information getting into the hands of third parties, especially advertisers, over the past few years. Security company Symantec researchers wrote in a blog that third-parties potentially have access to personal information, including profiles, photographs and chat, and could have had the ability to post messages. However, most third-parties are unaware of the ability to access Facebook user information.

"Symantec has discovered that in certain cases, Facebook IFRAME applications inadvertently leaked access tokens to third parties like advertisers or analytic platforms. We estimate that as of April 2011, close to 100,000 applications were enabling this leakage. We estimate that over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties," the researchers wrote.

They explained in technical terms that "access tokens are like 'spare keys' granted by you to the Facebook application. Applications can use these tokens or keys to perform certain actions on behalf of the user or to access the user's profile. Each token or 'spare key' is associated with a select set of permissions, like reading your wall, accessing your friend's profile, posting to your wall, etc."

The Symantec blog post said Facebook has taken steps to resolve the issue.