A recent Symantec report from Nishant Doshi is claiming that a number of Facebook Web applications are leaking access to third party advertisers and analytic platforms potentially exposing user's accounts and information such as profiles, photographs, chat, and also had the ability to post messages and mine personal information. 

According to the report, "Fortunately, these third-parties may not have realized their ability to access this information. Symantec has reported this issue to Facebook, who has taken corrective action to help eliminate this issue."

Facebook applications are Web applications that are integrated onto the Facebook platform. According to Facebook, 20 million Facebook applications are installed every day.

Symantec has discovered that in certain cases, Facebook IFRAME applications inadvertently leaked access tokens to third parties like advertisers or analytic platforms. We estimate that as of April 2011, close to 100,000 applications were enabling this leakage. We estimate that over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties..

How does the access token get leaked?

By default, Facebook now uses OAUTH2.0 for authentication. However, older authentication schemes are still supported and used by hundreds of thousands of applications. When a user visits apps.Facebook.com/appname , Facebook first sends the application a limited amount of non-identifiable information about the user, such as their country, locale and age bracket. Using this information, the application can personalize the page.

 The Facebook application is now in a position to inadvertently leak the access tokens to third parties potentially on purpose and unfortunately very commonly by accident. In particular, this URL, including the access token, is passed to third-party advertisers as part of the referrer field of the HTTP requests.

For example, if this application’s first page was requesting resources from an external URL using an iframe tag from an advertiser, then the access token will get leaked in the referrer field. 

Conclusion

The repercussions of this access token leakage are seen far and wide. Facebook was notified of this issue and has confirmed this leakage. Facebook notified us of changes on their end to prevent these tokens from getting leaked.

Nishant Doshi and Candid Wueest from Symantec are credited with the discovery of this issue.

Facebook has recently announced an update to their Developer RoadMap. The details of this update can be found here: https://developers.facebook.com/blog/post/497