Archive for May, 2011

“Facebook Applications Accidentally Leaking Access to Third Parties”

May 15, 2011

Symantec blog posting:

What Happens? QUOTE: According to Symantec’s analysis, the problem was caused by a flaw in the old Facebook API which apps used to authenticate their account access. When a user grants account access to a web app, the app is given an “access token” which it can then renew. Symantec said that this access token can be mistakenly inserted into a URL returned by Facebook to the app server when the user logs in to an app. If the app loads an ad banner or analytics code as a next step, it will send that URL, including the access token, in the referrer field of its HTTP request for the content. This referrer data is likely to have been stored in the log file on the advertising or analytics providers’ server. User impersonation tokens Changing user password will invalidate old tokens. New tokens are safe.

Bottom line here people, CHANGE YOUR FB PASSWORD!

Facebook is making GOOD security improvements. 9.6 (and growing) users now using Facebook over HTTPS: Facebook now supports the much better Oauth 2.0 system. Facebook Apps need to support Oauth 2.0 by September