Facebook confirmed a security problem with their old, proprietary authentication system: When using Facebook Apps like games or similar, the access token – something like a key to your Facebook account – could leak to some advertisers which were showing ads then. With this access token, it is possible to impersonate the user: Post in the users name, getting access to all information and so on. Facebook say that they now have taken counter measures so these leaks can’t occur anymore – but in the old logfiles of the advertisers, those access tokens can still be found.
As Facebook now support OAuth 2.0, the company advises App providers to switch to this open and mature authentication system – which Google, Yahoo, Twitter and so on support as well. Users should change their Facebook password, which invalidates the old access token and generates a new one. This way, advertisers can’t abuse the token anymore even if they start data mining their logfiles for access tokens now.
Leave a reply