Commentary

Security Research Firm Documents Further Facebook Data Leaks

Facebook has come under fire in the past for leaking users' names through referrer URLs. Now it's come to light that the referrer URLs also gave third parties like advertisers and analytics companies access to a host of additional information, including users' chat histories, photos and other personal data.

Security research company Symantec, which posted the details, says as many as 100,000 applications might have enabled the leakage.

Symantec describes access tokens as "spare keys" that allow third parties to have the same access to users' profiles as app developers. "Each token or 'spare key' is associated with a select set of permissions, like reading your wall, accessing your friend's profile, posting to your wall, etc.," the company says.

Facebook said Tuesday in a blog post for developers that it has been working with Symantec to "identify issues in our authentication flow to ensure that they are more secure" and plans to migrate to a new authentication system.

The company also reportedly said it had fixed the leak and that it wasn't aware of any third parties obtaining unauthorized access to users' private information. Facebook added that its contract with third parties prohibits them from sharing information about users in ways that violate Facebook's policies.

Of course, that begs the question of whether advertisers did in fact access far more detailed information about users than they would have shared voluntarily. After all, it's not likely that any companies who violate Facebook's policies are going to confess to the social networking site.

What's more, even though the leakage in this case appears to have been accidental, it could have been prevented. Instead, the research serves as yet one more example of the low priority placed on privacy by Facebook.

Next story loading loading..