Facebook caught exposing millions of user credentials.

Facebook has leaked access to millions of users' photographs, profiles and other personal information because of a years-old bug that overrides individual privacy settings, researchers from Symantec said.

The flaw, which the researchers estimate has affected hundreds of thousands of applications, exposed user access tokens to advertisers and others. The tokens serve as a spare set of keys that Facebook apps use to perform certain actions on behalf of the user, such as posting messages to a Facebook wall or sending RSVP replies to invitations. For years, many apps that rely on an older form of user authentication turned over these keys to third parties, giving them the ability to access information users specifically designated as off limits.

The Symantec researchers said Facebook has fixed the underlying bug, but they warned that tokens already exposed may still be widely accessible.

“There is no good way to estimate how many access tokens have already been leaked since the release of Facebook applications back in 2007,” Symantec's Nishant Doshi wrote in a blog post published on Tuesday. “We fear a lot of these tokens might still be available in log files of third-party servers or still being actively used by advertisers.”

While many access tokens expire shortly after they're issued, Facebook also supplies offline access tokens that remain valid indefinitely. Facebook users can close this potential security hole by changing their passwords, which immediately revokes all previously issued keys.

The flaw resides in an authentication scheme that predates the roll out of a newer standard known as OAUTH. Facebook apps that rely on the legacy system and use certain commonly used code variables will leak access tokens in URLs that are automatically opened by the application host. The credentials can then be leaked to advertisers or other third parties that embed iframe tags on the host's page.

“The Facebook application is now in a position to inadvertently leak the access tokens to third parties potentially on purpose and unfortunately very commonly by accident,” Doshi wrote. “In particular, this URL, including the access token, is passed to third-party advertisers as part of the referrer field of the HTTP requests.”

US computer security firm Symantec on Tuesday said that Facebook accidentally left a door open for advertisers to access profiles, pictures, chat and other private data at the social network.

Symantec discovered that certain Facebook applications leaked tokens that act essentially as "spare keys" for accessing profiles, reading messages, posting to walls or other actions.

Facebook applications are Web software programs that are integrated onto the leading online social network's platform. Symantec said that 20 million Facebook applications such as games are installed every day.

The tokens were being leaked to third-party applications including advertisers and analytics platforms allowing them to post messages or mine personal information from profiles, according to Nishant Doshi of Symantec.


Links:
http://www.theregister.co.uk/2011/05/10/facebook_user_credentials_leaked/
http://www.rawstory.com/rs/2011/05/10/facebook-leaked-personal-data-to-advertisers/