US computer security firm Symantec has said that Facebook accidentally left a door open for advertisers to access profiles, pictures, chat and other private data at the social network.
Symantec discovered that certain Facebook applications leaked tokens that act essentially as "spare keys" for accessing profiles, reading messages, posting to walls or other actions.
The tokens were being leaked to third-party applications including advertisers and analytics platforms, allowing them to post messages or mine personal information from profiles, according to Nishant Doshi of Symantec.
"Fortunately, these third-parties may not have realized their ability to access this information," Doshi said in a blog post. "We have reported this issue to Facebook, who has taken corrective action to help eliminate this issue."
"We estimate that over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties," Doshi said.
Facebook confirmed the problem, which was discovered by Doshi and Symantec colleague Candid Wueest, according to the computer security firm.
There was no evidence that the problem resulted in private information being gleaned from Facebook members' accounts, according to the California-based social networking service.
"In addition, this report ignores the contractual obligations of advertisers and developers which prohibit them from obtaining or sharing user information in a way that violates our policies," Facebook said.
Despite whatever fix Facebook has put in place, token data may still be stored in files on third-party computers, Symantec warned.
"Concerned Facebook users can change their Facebook passwords to invalidate leaked access tokens," Doshi said.
"Changing the password invalidates these tokens and is equivalent to 'changing the lock' on your Facebook profile."
Posts
