Facebook apps leaked users' personal data to advertisers, other third parties, for years

A Facebook security hole allowed advertisers and other third parties to access user accounts and personal data, according to a blog post today from internet security firm Symantec. They identify the exposure as having been active for as long as Facebook has offered applications on its platform, beginning in 2007— so, four years.

That unintended access included "profiles, photographs, chat, and the ability to post messages and mine personal information," wrote Symantec's Nishant Doshi, who is credited with finding the issue along with colleague Candid Wueest. "Fortunately, these third-parties may not have realized their ability to access this information."

Facebook today said the problem has been fixed, and there is no evidence that any actual private data was leaked. More from the Symantec post:

Symantec has discovered that in certain cases, Facebook IFRAME applications inadvertently leaked access tokens to third parties like advertisers or analytic platforms. We estimate that as of April 2011, close to 100,000 applications were enabling this leakage. We estimate that over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties.
Access tokens are like 'spare keys' granted by you to the Facebook application. Applications can use these tokens or keys to perform certain actions on behalf of the user or to access the user's profile. Each token or 'spare key' is associated with a select set of permissions, like reading your wall, accessing your friend's profile, posting to your wall, etc.

More: Here is the Wall Street Journal story, and CNET has a related report here.

Boing Boing editor/partner and tech culture journalist Xeni Jardin hosts and produces Boing Boing's in-flight TV channel on Virgin America airlines (#10 on the dial), and writes about living with breast cancer. Diagnosed in 2011. @xeni on Twitter. email: xeni@boingboing.net.

MORE: News • privacy • Ripoffs • security • Technology

More at Boing Boing

Eurovision 2013: An American in London

The technology that links taxonomy and Star Trek

Raardvarks

I am not shocked.

How sad.
- AnthonyC
  
  I think the lack of shock is perhaps the saddest part. It wouldn’t be so sad for companies to leak data through security holes, if such events were rare.
TriadX1

I would be more surprised if nobody really knew this. There are plenty of people who want this info, and Facebook likely gave them a way to get to it. Fits Zuckerberg’s profile perfectly.
- Suds
  
  Agreed. I may be the paranoid type, but I don’t think this is an accident. EVERYTHING on the internets Will be accessible, sooner or later.
Anonymous

eHipster’s remember when it was all about the personal connections, maaaaan
Anonymous

I was a late-comer to FaceBook, but within hours of making a profile I clicked on something that elicited a “this app would like to access your profile info…”. No. Delete. Cancel. And since then I have refused to click on any app, use any app, and keep all of my settings to almost max privacy. Any time I see something on someone else’s profile that even looks remotely like spam, I click on “report as spam”. Any time I have to “like” something to be able to read on further, I refuse. Can FB still be peddling my info? sure, but that’s why they don’t have anything that I don’t already consider pretty much public info already. Apply this to all your interactions with the internet and you should be as “safe” as anyone can be.
TEKNA2007

Friends don’t let friends drive Facebook.
EH

Facebook has enough smart people working there that they had to be prevented from doing something about this, or that their development guidelines spell out different behavior than their public statements of the “we value privacy” variety. There has been no privacy legislation in the Internet era and so many companies are taking advantage of that. It’s lawless behavior.
Anonymous

I’m neither surprised or shocked. I’m not worried either, I didn’t join.
- emmdeeaych
  
  if you’re a non-joiner, be aware that your opinion is accordingly relevant and interesting.
  - Anonymous
    
    Don’t be so defensive. So you joined Facebook, no big deal, lots of people make the same mistake. It’s not too late to get better.
bolamig

Seems like splitting hairs to call this a breach when there are so many privacy violations on facebook. The only thing that surprises me is that they’re claiming they’ll stop this.
Jake0748

Yeah… I always assumed Facebook and their partners were tossing my data around willy-nilly. I mean that’s their whole business model, isn’t it? I used a few of their “apps” at the beginning, but found it insulting that they just basically TELL you that they’re going to share you and your friends’ info wherever they feel like it.

I don’t particularly care if everyone knows where I live or what I like to eat for breakfast. But I do try to draw a line somewhere… like birth date, SS number, bank and credit card info, etc. I’m sure someone (or many someones) could find out all that stuff if they really wanted to.

Who cares… we’re all screwed anyway.
teapot

..and this is why I’m glad I was always suspicious of agreeing to share information with facebook’s terrible “apps”, most of which are just shitty knock-offs of other available games or services.
jtegnell

But but but but the younger generation has a different understanding of privacy, and we just need to deal.

It’s true because the overpaid “youth culture expert” on CNN/MSNBC/FOX told me so!
Purplecat

The only reason I’d be surprised about this is if this “bug” allowed access to that data without paying facebook for it first.

That’s the only way in which this could be an oversight.
Rindan

Um… wasn’t this pretty much a given? You hand over that info not for your health. Where do you think it goes? Frankly, I wouldn’t care if it wasn’t for the fact that they will sell the crap they scrap to anyone. Pawning it off onto advertisers is only annoying if they can scrape your phone number or address and send you real world spam.

“Targeted” advertising itself is fine. I would love it if the stupid ads that chased me around the tubes actually was of stuff I have the slightest interest in. Sadly, it is pretty clear that I am either covering my tracks too well or “targeted” advertising has he accuracy of a blind man on a roller coaster. Psst… I don’t own a fucking house, don’t want a house, and don’t give two shits what awesome interest rates your dancing baby is offering on home loans. Also, I’m probably not into Christian singles.

What sucks about Facebook being an open book to these scrapers is that they sell this stuff to “people search” companies. I don’t care so much if some advertiser pays money to flail ineffective ads at me based upon some demographic they think I am. I do care if the HR asshole for some company I want to work for gets a hold of that information and decides that I look too blasted in that college picture from 5 years to be working at a respectable company like his.

The end result is that you need to treat Facebook like all of that information is going to be free to Google. It sucks, because the real appeal of Facebook is a way to communicate privately with your friends in a way less kludgey than mass mailing your friends. As long as these services are built on advertisement though, you can pretty much kiss this dream goodbye. The only real alternative is a subscription service that has some incentive to take privacy seriously, or an open source distributed network of some kind. I won’t hold my breath for either. People are too cheap to pay and open source projects without the backing of a corporation trying to cash in on it have a pretty solid history of having the usability of computer parts junk bin… which is to say that some of us find it perfectly usable, but or friends think we are insane.
WeightedCompanionCube

A little more background info: Facebook apps direct the user to a “connect” page on Facebook. If the app is approved, Facebook redirects the user back to the app with an approval code in the URL. The app sends this code plus a secret API key to Facebook. Facebook returns a token that will give the app access to that user’s data.
From that point on, the token value is the only thing needed to access your data. No app ID, no API key, nothing. The reasoning behind this is that it makes requests small, fast, and anonymous.

And that is exactly why OAUTH 2.0 tokens are a bad bad idea. But… anyone who has that token can access your data! It was just a matter of time before those tokens are leaked to unknown parties, either intentionally or by a compromise.

If Facebook is at fault, it’s for trusting apps won’t misbehave. Blame the apps for leaking the data you decided to give them. The developers’ AUP clearly states apps WILL NOT give access tokens to anyone else.

I proposed to the OAUTH working group that apps sign each token-bearing request with the API key the app used to get the token in the first place. That way, apps can’t give away tokens without also giving away something they definitely don’t want anyone else to know.

The response was generally “OAUTH2.0 is over HTTPS, we don’t need any extra signing or crypto” … but they don’t check to see if the token is coming from the entity it was issued to!
ecobore

I am shocked, shocked!! No, of course I’m not shocked.. That is precisely why I don’t allow any apps into my facebook!!!
technogeek

Hardly surprised.

Basic principle: If you don’t own and control the server and its security, and the server’s owner isn’t under a contract which makes them financially liable if their security is inadequate, don’t expect security… and even then, make sure the contract will carry over to their successor if the service is bought out by someone else.

You may not always get what you pay for; you should never count on getting what you aren’t willing to pay for.

When you connect to a computer, you are connecting to every computer that computer ever has, or ever will, connect to. Practice safe hex.