Symantec, the largest developer of computer security software, announced that there was a security flaw in Facebook that allowed third parties to have access to user accounts and profile information. The flaw was fixed by Facebook last Tuesday, but all the information leaked may still be out there stored in server log files or in the applications themselves and could still be exploited by third parties.
About the Security Flaw
The flaw exists because of Facebook applications. Some of these applications shared “access tokens” to their advertisers and some analytic companies for obvious purposes. However, these access tokens can also be used by the said advertisers and analytic companies to view your account data, profile information, wall posts, friends, and all. So, in a sense, when you allowed the application to access to your profile, you also unknowingly allowed these third parties access to your account. Think of the tokens as ‘spare keys’. Third parties can use these spare keys to enter your account and mine your data, then use them for their own purposes.
All of this, however, happened by accident, and Facebook did not even know of the flaw until Symantec advised them about it.
No harm done, really?
Of course, there’s a teeny-tiny possibility that these third party sites never even realized that they had this sort of access to data. In fact, Facebook insists that there is no evidence to suggest that such a breach has happened, but then again, who is to believe them? Are we really supposed to take their word for it? They did not even give details on how they ‘investigated’ the matter.
Facebook first introduced Applications last 2007, and since then this security flaw has been around. Just imagine how much data has been leaked in more than three years. Symantec estimates that there are 100,000 apps that have this flaw. It’s hard to believe that nobody in that span of time has discovered this golden opportunity to steal data.
If you’re one of the few people who have not at least tried a single application on Facebook, then you can count yourself lucky. As for the rest of us who have virtual farms, restaurants, and what not, we have to twiddle our thumbs and wonder whether we have been victimized through this security flaw or not.
There is, however, one thing we can do, according to Symantec, and that’s to change our Facebook passwords. These access tokens will continue to work unless a user changes his password, so the best thing to do would be to change the ‘locks’ so that the ‘spare keys’ will no longer work.