Facebook may have leaked personal info on millions
For years, an accidental security flaw in the way Facebook handled embedded frames allowed applications developers to access information on a user's profile that installed that application. It is estimated that nearly 100,000 applications may have enabled this flaw, potentially affecting millions.
Symantec, the company that discovered the vulnerability, reported it to Facebook. The flaw has been fixed, but it is unknown if any of the data had been used maliciously.
With 500 million active users, the flaw has the potential to be much larger than the PlayStation Network breach, which has 77 million users. There is a caveat though: the user would have needed to have installed one of the vulnerable applications in order to be at risk.
"There is no good way to estimate how many access tokens have already been leaked since the release [of] Facebook applications back in 2007," Symantec's Nishant Doshi wrote in a blog post. "We fear a lot of these tokens might still be available in log files of third-party servers or still being actively used by advertisers."
Neither Symantec nor Facebook are specifying which applications may have been affected, although the social networking site says they had no evidence that data was leaked. That said, if the user has not changed their password in quite awhile, and had one of these applications installed, they would still be at risk.
This is due to the fact that the flaw allowed the application developer to obtain the "access token," which still is valid regardless of whether or not the hole was closed.
Doshi said it might be possible that developers don't even realize they have these "keys," although in the past some have passed user information onto advertisers in violation of Facebook polices. The social networking site punished several developers last fall for doing exactly that.