Of possible interest...
Facebook Patches Access Token Leak
Users should change their passwords to mitigate threats posed by the accidental
leak of perhaps millions of account identity details.
http://www.informationweek.com/news/security/client/229500030
By Mathew J. Schwartz InformationWeek
May 11, 2011 01:05 PM
Have Facebook advertisers and analytics firms been reviewing your private
profile? On Tuesday, security researchers warned that, due to how the site
handles access tokens, enterprising third parties would have been able to
access users' private data and perform any actions with a user's identity,
beginning in 2007.
"Third parties, in particular advertisers, have accidentally had access to
Facebook users' accounts including profiles, photographs, chat, and also had
the ability to post messages and mine personal information," said Nishant
Doshi, a senior principal software engineer at Symantec, in a blog post. He
discovered the flaw, together with Symantec's Candid Wueest.
Facebook has reportedly acknowledged and fixed the problem.
Whether anyone had exploited the flaw, however, remains an open question.
"There is no good way to estimate how many access tokens have already been
leaked since the release of Facebook applications back in 2007," said Doshi.
"We fear a lot of these tokens might still be available in log files of
third-party servers or still be actively used by advertisers."
To mitigate the threat posed by user credentials lingering in advertisers' log
files, change your Facebook password. "Changing the password invalidates these
tokens and is equivalent to 'changing the lock' on your Facebook profile," said
Doshi.
The flaw resulted because of how Facebook iFrame applications handled access
tokens. "Access tokens are like 'spare keys' granted by you to the Facebook
application. Applications can use these tokens or keys to perform certain
actions on behalf of the user or to access the user's profile," said Doshi.
"Each token or 'spare key' is associated with a select set of permissions, like
reading your wall, accessing your friend's profile, posting to your wall."
Users grant specific permissions to an application when they install it.
<snip/>
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
