In a diary post, the folks at the SANS Internet Storm Center have given us all a “heads up” on a potential Facebook security issue. If you use Facebook, you are probably familiar with the applications that are available on the platform. When you start to use an application, You go through a permission dialog which asks you to allow the application access to various capabilities of your Facebook account. For example, the application may be granted permission to access your profile data, make posts to your Wall, or to access your friends’ data (subject to their permission settings). When the permission is given, the application is given an access token; this is like an extra key that works in place of your user ID and password. There is a problem, discovered by the security firm Symantec, with how this mechanism historically worked; their (fairly technical) write-up is here.
These tokens are long strings of alphanumeric gibberish, and would be effectively impossible to guess; also, by default, they have a fairly short “shelf life”, but it is possible for an application to request an “offline” token that persists until you change your Facebook password. The problem exists with an older authentication mechanism for Facebook apps; it has been superseded by a more secure scheme, but (at least until now) the older method has still been supported, and is used by an estimated 100,000+ applications. The effect of the flaw is that the access token can accidentally be sent to the server hosting the application, typically not a Facebook server. That server can then “leak” the token to other machines that may be involved, such as advertising servers, thereby giving those third parties access to your Facebook account. I’m not aware of any evidence that this has been done maliciously, but unfortunately it is very easy for someone to do accidentally, owing to carelessness.
Facebook, to its credit, has developed a plan to address this issue (detailed in a very technical post on its Developers’ Blog), which will require all applications to migrate to the new, more secure access method in stages, to be completed by October 1 of this year. Of course doing it more quickly would be better still, but given the number of applications involved, might not be realistic.
For individual users, there is a simple method to clean up any previously-granted access tokens that may be susceptible to exploitation: change your password. Also, at least until the application updates are complete, be careful of what access you give to applications.