FTC asked to investigate years-old Facebook security flaw

May 16, 2011
Cyber Security, FedCyber Wire
No Comment

via Government Computer News

Several members of Congress are calling for an investigation of a recently fixed, years-old security flaw in social networking site Facebook that could have exposed users’ account information.

Sen. Mark Pryor (D-Ark.) recently asked the Federal Trade Commission to investigate the issue, the National Journal reported. He asked the FTC to respond to his request by May 25.

Security firm Symantec announced the breach in a blog, saying a vulnerability could have allowed third parties, specifically advertisers, to access Facebook users’ account information, including profiles, photographs and chats; post messages; and mine personal information.

Facebook quietly fixed the flaw after Symantec notified the company of the issue in late April, requiring developers to move to HTTP and OAuth 2.0. Although it asknowledges the flaw, the company maintains that no information was taken.

Symantec estimated that potentially millions of data breaches could have occurred. The security hole came from Facebook IFRAME applications inadvertently giving third parties, such as advertisers and analytic platforms, the ability to read users’ access tokens, which operate like “spare keys,” Symantec said.

“Applications can use these tokens or keys to perform certain actions on behalf of the user or to access the user’s profile. Each token or ‘spare key’ is associated with a select set of permissions, like reading your wall, accessing your friend’s profile, posting to your wall, etc.,” according to the blog post. According to Facebook, 20 million Facebook applications are installed daily.

“We estimate that over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties,” Symantec said.

Continued here.