Contact
QR code for the current URL

Story Box-ID: 422826

Symantec (Deutschland) GmbH c/o Regus Munich 5 Höfe Rosenheimer Strasse 143c 81671 München, Germany http://www.symantec.de
Contact Ms Agnieszka Zyluk +49 30 526852466
Company logo of Symantec (Deutschland) GmbH c/o Regus Munich 5 Höfe
Symantec (Deutschland) GmbH c/o Regus Munich 5 Höfe

Facebook Applications Accidentally Leaking Access to Third Parties

(PresseBox) (Ratingen, )
Third parties, in particular advertisers, have accidentally had access to Facebook users' accounts including profiles, photographs, chat, and also had the ability to post messages and mine personal information. Fortunately, these third-parties may not have realized their ability to access this information. We have reported this issue to Facebook, who has taken corrective action to help eliminate this issue.

Facebook applications are Web applications that are integrated onto the Facebook platform. According to Facebook, 20 million Facebook applications are installed every day.

Symantec has discovered that in certain cases, Facebook IFRAME applications inadvertently leaked access tokens to third parties like advertisers or analytic platforms. We estimate that as of April 2011, close to 100,000 applications were enabling this leakage. We estimate that over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties.

Access tokens are like 'spare keys' granted by you to the Facebook application. Applications can use these tokens or keys to perform certain actions on behalf of the user or to access the user's profile. Each token or 'spare key' is associated with a select set of permissions, like reading your wall, accessing your friend's profile, posting to your wall, etc.

Figure 1. illustrates some of these permissions.

During the application installation process, the application requests the user to grant permissions to these actions. Upon granting these permissions, the application gets an access token as seen in Figure 2.

Using this access token, the application can now access the user’s information or perform actions on behalf of the user.
https://graph.Facebook.com/......

By default, most access tokens expire after a short time, however the application can request offline access tokens which allow them to use these tokens until you change your password, even when you aren’t logged in.

How does the access token get leaked?
By default, Facebook now uses OAUTH2.0 for authentication. However, older authentication schemes are still supported and used by hundreds of thousands of applications. When a user visits apps.Facebook.com/appname , Facebook first sends the application a limited amount of non-identifiable information about the user, such as their country, locale and age bracket. Using this information, the application can personalize the page.

The application then needs to redirect the user to a permission dialog page, as seen here.

The application uses a client-side redirect for redirecting the user to the familiar application permission dialog box. This indirect leak could happen if the application uses a legacy Facebook API and has the following deprecated parameters, "return_session=1" and "session_version=3", as part of their redirect code, as seen in Figure 4.

If these parameters are used, Facebook subsequently returns the access token by sending an HTTP request containing the access tokens in the URL to the application host.

The Facebook application is now in a position to inadvertently leak the access tokens to third parties potentially on purpose and unfortunately very commonly by accident. In particular, this URL, including the access token, is passed to third-party advertisers as part of the referrer field of the HTTP requests.

For example, if this application’s first page was requesting resources from an external URL using an iframe tag from an advertiser, then the access token will get leaked in the referrer field. This is illustrated in Figure 5.

Conclusion

Needless to say, the repercussions of this access token leakage are seen far and wide. Facebook was notified of this issue and has confirmed this leakage. Facebook notified us of changes on their end to prevent these tokens from getting leaked.

There is no good way to estimate how many access tokens have already been leaked since the release Facebook applications back in 2007. We fear a lot of these tokens might still be available in log files of third-party servers or still being actively used by advertisers. Concerned Facebook users can change their Facebook passwords to invalidate leaked access tokens. Changing the password invalidates these tokens and is equivalent to “changing the lock” on your Facebook profile.

Nishant Doshi and Candid Wueest from Symantec are credited with the discovery of this issue.

Facebook has recently announced an update to their Developer RoadMap. The details of this update can be found here: https://developers.facebook.com/...
The publisher indicated in each case (see company info by clicking on image/title or company info in the right-hand column) is solely responsible for the stories above, the event or job offer shown and for the image and audio material displayed. As a rule, the publisher is also the author of the texts and the attached image, audio and information material. The use of information published here is generally free of charge for personal information and editorial processing. Please clarify any copyright issues with the stated publisher before further use. In case of publication, please send a specimen copy to service@pressebox.de.
Important note:

Systematic data storage as well as the use of even parts of this database are only permitted with the written consent of unn | UNITED NEWS NETWORK GmbH.

unn | UNITED NEWS NETWORK GmbH 2002–2024, All rights reserved

The publisher indicated in each case (see company info by clicking on image/title or company info in the right-hand column) is solely responsible for the stories above, the event or job offer shown and for the image and audio material displayed. As a rule, the publisher is also the author of the texts and the attached image, audio and information material. The use of information published here is generally free of charge for personal information and editorial processing. Please clarify any copyright issues with the stated publisher before further use. In case of publication, please send a specimen copy to service@pressebox.de.