In a blog post, Symantec's Nishant Doshi said that third-parties, mostly advertisers, have "accidentally" had access to Facebook user information like profiles, photographs, and chat.
"Fortunately, these third-parties may not have realized their ability to access this information," Doshi wrote. "[But] we estimate that as of April 2011, close to 100,000 applications were enabling this leakage. We estimate that over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties."
Facebook said it worked with Symantec to rectify the issue, but took issue with how it characterized the situation.
"We've conducted a thorough investigation which revealed no evidence of this issue resulting in a user's private information being shared with unauthorized third parties," Facebook said in a statement. "In addition, this report ignores the contractual obligations of advertisers and developers which prohibit them from obtaining or sharing user information in a way that violates our policies."
At issue is the permissions-based app menu to which users must agree when installing an app. Facebook has been working to transition from a legacy Facebook authentication system and HTTP to the more secure OAuth 2.0. In the wake of the Symantec investigation, Facebook said Tuesday that it will require all sites and apps to migrate to OAuth 2.0 and obtain an SSL certificate by October 1.
If an app is still using that legacy Facebook authentication system and has certain parameters as part of its redirect code, however, "Facebook subsequently returns the access token by sending an HTTP request containing the access tokens in the URL to the application host," Doshi wrote. "The Facebook application is now in a position to inadvertently leak the access tokens to third parties potentially on purpose and unfortunately very commonly by accident."
Doshi said there was "no good way" to know how much data has leaked, but Facebook insisted no one has had access. Still concerned? Doshi suggested changing your password.
"Changing the password invalidates these tokens and is equivalent to 'changing the lock' on your Facebook profile," he wrote.
The concept of "leaky apps" on Facebook is not particular new. In October, the Wall Street Journal published a story that said Facebook apps shared users' personal information with advertising networks and other Internet-tracking companies. That included the top 10 apps on Facebook. That prompted Reps. Edward Markey and Joe Barton, the co-chairman of the House Bi-Partisan Privacy Caucus, to write to Facebook asking for more answers. The social-networking site later defended its policies, and denied that the revelations constituted a privacy breach.
