Facebook on Wednesday trashed a stunning revelation made by security software firm a Symantec that third parties like advertisers had access to sensitive data of millions of Facebook users for years.
We appreciate Symantec raising this issue and we worked with them to address it immediately .... But, specifically, no private information could have been passed to third parties, and the vast majority of tokens expire within two hours, Facebook spokeswoman Malorie Lucich said in an emailed comment, Computerworld has reported.
The report also ignores the contractual obligations of advertisers and developers, which prohibit them from obtaining or sharing user information in a way that violates our policies, Lucich said, denying reports of data breach.
On Tuesday, the Symantec researchers said in a blog that Facebook, which was notified about this issue, has confirmed the data leakage. According to the report, certain app security flaws had accidentally given access to third parties to user data including account profiles, photographs and chat. The flaws also allowed third parties to post messages and mine personal information.
The report said these third parties may not have cashed in on this access as they were unaware of it. Fortunately, these third-parties may not have realized their ability to access this information. We have reported this issue to Facebook, who has taken corrective action to help eliminate this issue, says the report.
According to the report, Facebook IFRAME applications inadvertently leaked access tokens to third parties like advertisers or analytic platforms. We estimate that as of April 2011, close to 100,000 applications were enabling this leakage. We estimate that over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties, says the report.
The Symantec report said access tokens are used by apps to perform certain actions on behalf of the user or to access the user’s profile. Each token or ‘spare key’ is associated with a select set of permissions, like reading your wall, accessing your friend’s profile, posting to your wall, etc.
But Facebook denied there was any security scare as 'the vast majority of tokens expire within two hours.'