Hundreds of thousands of Facebook users’ account details could have been “inadvertently” leaked to third parties, in particular advertisers, over the years, according to data security solutions provider Symantec.
“Symantec has discovered that in certain cases, Facebook IFRAME applications inadvertently leaked access tokens to third parties like advertisers or analytic platforms,” Symantec Corp said in its official blog.
Third parties, in particular advertisers, have accidentally had access to Facebook users’ accounts, including profiles, photographs and chat, and also had the ability to post messages and mine personal information.
“We estimate that as of April, 2011, close to 100,000 applications were enabling this leakage. We estimate that over the years, hundreds of thousands of applications may have inadvertently leaked millions of ‘access tokens’ to third parties,” the blog post added.
Access tokens are like ‘spare keys’ granted by a Facebook user to the Facebook application. Applications can use these tokens or keys to perform certain actions on behalf of the user or to access the user’s profile.
“Fortunately, these third—parties may not have realised their ability to access this information,” the blog post said.
Facebook has been informed of this development and has taken corrective action to help eliminate this issue.
“Facebook was notified of this issue and has confirmed this leakage. Facebook notified us of changes on their end to prevent these tokens from getting leaked,” the blog post said.