Facebook applications leak thousands of spare keys

AGAIN IT LOOKS LIKE like loss of privacy is a price you have to pay for using Facebook with the discovery that tens of thousands of Facebook apps have leaked access tokens to third-parties, such as advertisers.

Security firm Symantec said that close to 100,000 Facebook applications have enabled leakage of access tokens to third parties. Access tokens are described as 'spare keys' by the firm, which apps use to perform actions for the user or access their profile, as they grant the ability to do things such as read or post to a wall.

The leakage problem stems from the fact that many Facebook apps use old authentication schemes, and third parties can grab these access tokens on purpose, or most likely by accident.

Symantec researcher Nishant Doshi said, "Needless to say, the repercussions of this access token leakage are seen far and wide. Facebook was notified of this issue and has confirmed this leakage. Facebook notified us of changes on their end to prevent these tokens from getting leaked."

"There is no good way to estimate how many access tokens have already been leaked since the release [of] Facebook applications back in 2007. We fear a lot of these tokens might still be available in log files of third-party servers or still being actively used by advertisers."

He said that users can change their passwords to invalidate leaked tokens, while Facebook has also announced a change to its developer roadmap, using a new authentication standard called OAuth 2.0. µ