Time and again, Facebook is at center of criticism for accidentally leaking personal information of users to advertisers and other third parties for years. It has been learned by Symantec that Facebook was unintentionally giving way for hackers to gain access over thousands of users’ profile from last four years – Since company started offering applications on its platform in 2007.
The unintended access included Photos, profile, chat and the ability to post message and mine personal information. Though, Facebook has claimed to address this issue and denied to obtain any evidence that any actual data was leaked due to such flaw, it puts the company’s services & security measures back on debate board.
Symantec has claimed that “security process which allows access to any third-party application” holds (was) major flaw. However, there are chances that many third-party app developers didn’t realize such security threat.
Generally Facebook assigns a “Token” to every third-party application using which app can access user’s information. These tokens are valid for certain time duration – in some cases until user change his password. Though, Facebook has started using OAUTH2.0, legacy authorization system is still in place and getting used by many app developers. Symantec explains that possible leak of these tokens happens when user get redirected to permission page through a client side redirect with this token code integrated in URL using normal HTTP access.
To encounter this exposure Facebook has released a clarification email stating “We’ve conducted a thorough investigation which revealed no evidence of this issue resulting in a user’s private information being shared with unauthorized third parties,” Interestingly, they didn’t bother to mention how exactly the company conducted its study.
Earlier, Facebook has been criticized several times for various security loop holes and failing to take adequate measurement for users’ personal date. In January this year, it was Mark Zuckerberg – CEO of Facebook – who faced the heat when his fan page got hacked with the message “Let the hacking begin: If Facebook needs money, instead of going to the banks, why doesn’t Facebook let its users invest in Facebook in a social way? Why not transform Facebook into a ‘social business’ the way Nobel Prize winner Muhammad Yunus described it? [LINK] What do you think? #hackercup2011″.
Facebook has recently announced an update to their Developer RoadMap. The details of this update can be found here: https://developers.facebook.com/blog/post/497
