The good news is once Facebook was alerted the problem the social network took action. But, some Facebook users might still be vulnerable to a digital invasions of privacy unless they take action. Here is what happened.
The Facebook Privacy Flub
Symantec claims Facebook has not only leaked private data such as your sex and your age, but for the past four years third-parties have had access to such goldmines as your profile, photos, and chats. Symantec also blats Facebook for giving third parties the ability to post things to your wall.
Luckily, there’s an upside–Symantec says it’s likely that said third parties weren’t even aware of the data mines sitting under their feet. After all, the leakage was accidental.
How it Happened
According to Symantec, certain Facebook applications have been inadvertently leaking “access tokens” to third parties such as advertisers and analytic platforms. Symantec estimates that close to 100,000 Facebook apps were enabling this leakage in February 2011.
When you install an application on your Facebook account, a little window pops up. This window usually asks you to give the application certain permissions, such as the ability to see your info and publish posts to your wall. When you click “Allow,” the application is granted these permissions–which are also known as “access tokens.”
Most of these access tokens expire after a short period of time, but Facebook also allows applications to request “offline access tokens.” Offline access tokens allow the application to access your Facebook account even if you’re logged off, and do not expire until you change your Facebook password.
According to Symantec, in the process of granting access tokens to applications, Facebook has been inadvertently dropping the same tokens to third parties. Facebook introduced third-party applications in 2007, so there’s no telling how many access tokens were dropped in the past four years.
What it Means for You
Facebook has been alerted to the situation and has fixed the problem, Symantec is happy to report. However, third parties may still be able to access your information if they were given offline tokens that don’t expire until you change your password.