Facebook user data 'leaked'

Personal data belonging to Facebook users, including profiles, photographs and chats, have been leaked to third parties "for years" due to a technical glitch, a report has claimed.

Wednesday 11 May 2011 00:00 BST

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

IT security firm Symantec claims to have discovered that some applications - which have been available for installation on Facebook since 2007 - were accidentally being handed what they described as a set of “spare keys” to users’ profiles, which allowed them to access the data as well as the “ability to post messages and mine personal information”.

Applications are given access tokens by users when they are installed, allowing them to access selected parts of the users' accounts. These tokens normally expire after a period of time but some applications can apply for offline tokens, which continue to grant access until the user’s password is changed.

Symantec claim that the information is leaked when apps redirect users to sites which have previously been personalised using information automatically but consensually handed over during the user’s visit to the site, such as country, locale and age bracket. If a rogue command is present in the electronic ‘negotiation’ of access privileges between Facebook and the app - called an API - users’ data become vulnerable to leaks.

Much of the site’s revenue comes from so-called targeted advertising, which is tailored to the individual user based on their actions online, and Symantec said that it found the leak has seen some personal information handed to advertisers.

Facebook claims that around 20 million applications or “apps” are installed by its users every day and, while it is impossible to provide an accurate figure, Symantec estimated that, as of last month, 100,000 apps were enabling this type of leak.

Facebook was notified of the alleged problem after it was identified by two Symantec employees Nishant Doshi and Candid Wueest. Symantec insists it has been assured by the social networking site said that steps have been taken to prevent it happening any longer.

Facebook insisted that its own investigation had found “no evidence” that the leaked information had been passed to “unauthorised” third parties, pointing out that that would constitute a breach of the social network's privacy policy. The spokesman confirmed that the outdated API Symantec said was causing the problem had been removed.

Symantec advised Facebook to change their passwords, saying that it should help to protect them from being caught by the leak.

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

2Comments

Thank you for registering

Facebook user data 'leaked'

Personal data belonging to Facebook users, including profiles, photographs and chats, have been leaked to third parties "for years" due to a technical glitch, a report has claimed.

Join our commenting forum

Thank you for registering