“Facebook Applications Accidentally Leaking Access to Third Parties”

Symantec blog posting:


What Happens? QUOTE: According to Symantec’s analysis, the problem was caused by a flaw in the old Facebook API which apps used to authenticate their account access. When a user grants account access to a web app, the app is given an “access token” which it can then renew. Symantec said that this access token can be mistakenly inserted into a URL returned by Facebook to the app server when the user logs in to an app. If the app loads an ad banner or analytics code as a next step, it will send that URL, including the access token, in the referrer field of its HTTP request for the content. This referrer data is likely to have been stored in the log file on the advertising or analytics providers’ server. User impersonation tokens Changing user password will invalidate old tokens. New tokens are safe.

Bottom line here people, CHANGE YOUR FB PASSWORD!

Facebook is making GOOD security improvements. 9.6 (and growing) users now using Facebook over HTTPS: Facebook now supports the much better Oauth 2.0 system. Facebook Apps need to support Oauth 2.0 by September https://developers.facebook.com/blog/post/497


Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: