Facebook continued its naughty streak this week with the what is perhaps the most widespread case of user account access leakage in the network's history. The culprit? Nearly 100,000 of the platform's applications.
Symantec has discovered that in certain cases, Facebook IFRAME applications inadvertently leaked access tokens to third parties like advertisers or analytic platforms. We estimate that as of April 2011, close to 100,000 applications were enabling this leakage. We estimate that over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties.
According to the company, these access tokens provide a direct doorway to user profiles, photos, chats and other personal information. (For a detailed rundown of how they were leaked, see Symantec's post here.)
Facebook Takes Action
Before you bust out your pitchfork, it's worth it to note that most app developers probably didn't realize they had this access. Further, Facebook says most access tokens expire in two hours, meaning they'd be useless to malicious third parties after that time.
Going forward, the social networking giant has acknowledged the issue via developer Naitik Shah. In Shah's official blog post, it is noted that Facebook is working with Symantec to discover additional issues in the network's authentication flow.
"This has led us to conclude that migrating to OAuth & HTTPs now is in the best interest of our users and developers," he wrote. "We believe these changes create better and more secure experiences for users of your app."
Accordingly, the most recent update to Facebook's Developer Roadmap outlines a plan that requires all sites and apps to migrate to OAuth 2.0, process the signed_request parameter, and obtain an SSL certificate by October 1.
For all you developers out there, the timeline goes like this:
- July 1: Updates to the PHP and JS SDKs available that use OAuth 2.0 and have new cookie format (without access token).
- September 1: All apps must migrate to OAuth 2.0 and expect an encrypted access token.
- October 1: All Canvas apps must process signed_request (fb_sig will be removed) and obtain an SSL certificate (unless you are in Sandbox mode). This will ensure that users browsing Facebook over HTTPS will have a great experience over a secure connection.
To Worry or Not?
Human error is inevitable, but Emil Protalinski of ZDNet hit the nail on the head when he pointed out how worrying it is that Facebook did not find the leak on its own, especially considering the amount of time it's been happening.
If you're a part of the seriously concerned crowd, changing your password will invalidate leaked access tokens.