Facebook may have accidentally exposed personal user data to advertisers and other third parties for several years, according to new research. Two security researchers at Symantec Corp posted in a blog on Tuesday that a Facebook programming error (since fixed) could have allowed advertisers to access member profiles, photographs and chat messages and to post messages and mine personal data from them.
The researchers said that the leaks stemmed from a faulty API used by developers of Facebook applications. However, in an emailed repsose to the accusations, Facebook argued that Symantec’s report has a “few inaccuracies.”
12/05/2011
It caused “hundreds of thousands” of Facebook applications to accidentally expose the so-called access tokens that are granted by users to Facebook applications, Symantec said.
“Each token or ‘spare key’ is associated with a select set of permissions, like reading your wall, accessing your friend’s profile, posting to your wall, etc.,” the researchers said.
Any third party or advertiser associated with an application developer that had used the faulty API would have had access to the tokens, allowing them to perform whatever actions the tokens allowed.
While it’s unclear how many advertisers even knew what was going on, the potential repercussions of the data leaks are “far and wide,” Symantec claimed.
‘Innacuracies’
However, in an emailed repsose to the accusations, Facebook argued that Symantec’s report has a “few inaccuracies.”
Malorie Lucich Facebook spokeswoman, said: “We appreciate Symantec raising this issue and we worked with them to address it immediately,” said in an emailed comment.
But, “specifically, no private information could have been passed to third parties, and the vast majority of tokens expire within two hours,” she said.
“The report also ignores the contractual obligations of advertisers and developers, which prohibit them from obtaining or sharing user information in a way that violates our policies,” Lucich said.
She added that Facebook has no evidence of information being used in a way that violates company policies. “We take any potential issue seriously and quickly took steps to prevent this from happening again.”