FTC asked to investigate years-old Facebook security flaw
Vulnerability left users' account information exposed
- By Kathleen Hickey
- May 13, 2011
Several members of Congress are calling for an investigation of a recently fixed, years-old security flaw in social networking site Facebook that could have exposed users' account information.
Sen. Mark Pryor (D-Ark.) recently asked the Federal Trade Commission to investigate the issue, the National Journal reported. He asked the FTC to respond to his request by May 25.
Security firm Symantec announced the breach in a blog, saying a vulnerability could have allowed third parties, specifically advertisers, to access Facebook users’ account information, including profiles, photographs and chats; post messages; and mine personal information.
Facebook quietly fixed the flaw after Symantec notified the company of the issue in late April, requiring developers to move to HTTP and OAuth 2.0. Although it asknowledges the flaw, the company maintains that no information was taken.
Is Facebook the next cybersecurity nightmare?
Symantec estimated that potentially millions of data breaches could have occurred. The security hole came from Facebook IFRAME applications inadvertently giving third parties, such as advertisers and analytic platforms, the ability to read users’ access tokens, which operate like “spare keys,” Symantec said.
“Applications can use these tokens or keys to perform certain actions on behalf of the user or to access the user’s profile. Each token or ‘spare key’ is associated with a select set of permissions, like reading your wall, accessing your friend’s profile, posting to your wall, etc.,” according to the blog post. According to Facebook, 20 million Facebook applications are installed daily.
“We estimate that over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties,” Symantec said.
Even before the announcement, government security specialists acknowledged that the government is facing challenges protecting networks and sensitive data with the increasing use of social media sites.
Matthew McCormack, the Defense Intelligence Agency's chief of cybersecurity, spoke on the topic at the recent Department of Defense Intelligence Information Systems conference in Detroit. “The mindset needs to change from securing the perimeter — keeping the bad guys out — to securing the data,” he said.
Approximately half of government employees are allowed access to Facebook and other social networking sites at work, FCW reported. The Library of Congress, for example, has a strategic plan calling for 25 percent of its staff to be on Facebook or Twitter this year, reported FCW.
Facebook has downplayed the issue. In an e-mailed comment to Computerworld, Facebook denied a breach occurred.
“No private information could have been passed to third parties, and the vast majority of tokens expire within two hours," Facebook spokeswoman Malorie Lucich wrote in the e-mail, adding that
Facebook had no evidence of any personal information being taken and
used by third parties. "The report also ignores the contractual obligations of advertisers and developers, which prohibit them from obtaining or sharing user information in a way that violates our policies."
In response, Symantec said it stood by its report, advising concerned users to change their passwords.
Kathleen Hickey is a freelance writer for GCN.