Facebook applications may have allowed third parties to access user information according to Symantec’s official blog. Facebook denies the claims, but Symantec went into quite a bit of detail explaining how it happened.
As many as 100,000 applications enabled leakage through Facebook’s IFRAME code, giving third parties access tokens. These tokens are supposed to allow applications to perform various actions on behalf of the users or access certain information on a user’s profile. When you are first presented with an option to allow an application, it declares what information the application will be able to access.
A feature called “offline access” also grants applications the ability to perform actions on behalf of the user even when the user is not online. Facebook eventually changed to a new authentication system (OAUTH2.0), but many applications still use older authentication schemes. Using certain parameters, it is possible for third parties to acquire the access tokens.
Facebook did not deny the existence of the problem but did say that it took steps to correct them some time ago, and that Symantec’s report fails to take that into account. Facebook also says that it investigated the problem and found that no private user information had been shared with “unauthorized third parties.” Unfortunately, Symantec says, there is no way to know what might have been leaked, but concerned users can change their passwords to easily protect their accounts.
Facebook has had its fair share of privacy issues and problems with terms of service regarding advertisers and user rights. With a network as large as it is, security is bound to be a concern. The social network recently added a feature to allow users to always use encrypted URLs (HTTPS) to increase security.