Is anyone else beginning to think that Facebook’s entire focus is desensitizing users to privacy breaches?
The leaky social network has again exposed user data to third parties, this time inadvertently allowing advertisers to obtain “access tokens,” which have been described by experts as “spare keys” to a user’s account. So what could have been shared? Symantec, who discovered the breach, explains:
Third parties, in particular advertisers, have accidentally had access to Facebook users’ accounts including profiles, photographs, chat, and also had the ability to post messages and mine personal information.
However, the security site adds:
Fortunately, these third-parties may not have realized their ability to access this information. We have reported this issue to Facebook, who has taken corrective action to help eliminate this issue.
Worryingly, the breach allowed long term access even though tokens eventually expire:
By default, most access tokens expire after a short time, however the application can request offline access tokens which allow them to use these tokens until you change your password, even when you aren’t logged in.
Facebook has admitted the breach and said they’ve taken steps to correct it, but some tokens could still be out there. (In a blog post, the social network downplays the issue a bit.) Symantec recommends changing your Facebook password, just in case.