A Facebook privacy flaw has led to personal information and photos of users being leaked to third parties.
According to research by Symantec, in certain cases Facebook iframe applications inadvertently leaked access tokens to third parties such as advertisers or analytic platforms.
As of last month, it estimated that close to 100,000 applications enabled the leakage, which over years could equate to millions of lost access tokens to third parties.
Symantec's Nishant Doshi said that access tokens are ‘spare keys' granted by the user to the Facebook application.
The application uses the tokens to perform certain actions on behalf of the user or to access the user's profile. The application requests the user to grant permissions to these actions during the installation process and obtains an access token.
By default, most access tokens expire after a short time. However the application can request offline access tokens that allow them to use these tokens until a password change, even when you are not logged in.
Facebook now uses Oauth 2.0 for authentication, however older authentication schemes are still supported and used by hundreds of thousands of applications.
The application uses a client-side redirect to point users to the application permission box. This indirect leak could happen if the application uses a legacy Facebook API and has the following deprecated parameters ‘return_session=1' and ‘session_version=3' as part of their redirect code.
“If these parameters are used, Facebook subsequently returns the access token by sending an HTTP request containing the access tokens in the URL to the application host," Doshi said.
"The Facebook application is now in a position to inadvertently leak the access tokens to third parties potentially on purpose and unfortunately very commonly by accident. In particular, this URL, including the access token, is passed to third-party advertisers as part of the referrer field of the HTTP requests."
The issue was reported to Facebook, who has confirmed it has changed settings and notified developers of changes to prevent tokens from being leaked.