Facebook flaw leaked users' data for years

A Facebook flaw has "inadvertently" given online advertisers and others access to personal data on hundreds of thousands of users, according a report by security vendor Symantec.

In a post on its official blog, the company said: "Symantec has discovered that in certain cases, Facebook IFRAME applications inadvertently leaked access tokens to third parties like advertisers or analytic platforms.

"We estimate that as of April 2011, close to 100,000 applications were enabling this leakage," the post continued. "Over the years, hundreds of thousands of applications may have inadvertently leaked millions of 'access tokens' to third parties."

Symantec told users: "Access tokens are like 'spare keys' granted by you to the Facebook application. Applications can use these tokens or keys to perform certain actions on behalf of the user or to access the user's profile."

Advertisers and others who received the leaked tokens could have had access to profile information, photographs and chat from users' accounts - and would also have had the ability to post messages and mine personal information.

"Fortunately, these third parties may not have realised their ability to access this information," said Symantec.

Equally, we can't help thinking, given the scale of the flaw it's more than likely some of them did.

"Facebook was notified of this issue and has confirmed this leakage," the security firm reassured, somewhat belatedly. "Facebook notified us of changes on their end to prevent these tokens from getting leaked."

The social network - which has enjoyed a somewhat chequered record on privacy - yesterday announced an update on its developer blog, which it said would help eliminate the issue.

So that's alright, then.