A flaw in Facebook Applications platform has been leaking user data to third party developers and advertisers, a security firm has revealed.
In a blog post (opens in new tab), Symantec said that neither Facebook nor most of the third parties were aware of the flaw.
The flaw granted access tokens to the third parties, which are like spare keys to users’ profile. The flaw granted third parties access to user profiles, photographs, chat and the ability to post messages. It also allowed third parties to mine user information.
“We estimate that as of April 2011, close to 100,000 applications were enabling this leakage. We estimate that over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties,” Symantec said.
The company contacted the social networking giant about the flaw in the Facebook IFRAME applications, after which Facebook says it fixed the issue.
“Fortunately, these third-parties may not have realized their ability to access this information. We have reported this issue to Facebook, who has taken corrective action to help eliminate this issue,” the company added.
Symantec advised users to change their Facebook passwords because it blocks the access tokens.