Facebook's social features for third party sites might be a little too "instant" and too little "tested."
Advertisers and other third parties gained access to user accounts and personal information, a major security company reported.
About 100,000 third-party or advertising applications accidentally leaked "tokens," or a kind of all-access key, to Facebook user accounts, according to security firm Symantec. The third parties could have posted to one's wall, looked up friends' accounts or read all personal information. Symantec said on its blog that it notified Facebook of the security breach last month.
The Wall Street Journal followed up the story by quoting Facebook:
"We've conducted a thorough investigation which revealed no evidence of this issue resulting in a user's private information being shared with unauthorized third parties," said a Facebook spokeswoman in an email, without specifying how the company conducted its study.
Not surprisingly, Facebook also introduced a "more secure" platform for users on its Developer Blog yesterday, changing from HTTP to OAuth 2.0, a kind of industry standard, and HTTPS.
Over the past few weeks, we determined that OAuth is now a mature standard with broad participation across the industry. In addition, we have been working with Symantec to identify issues in our authentication flow to ensure that they are more secure. This has led us to conclude that migrating to OAuth & HTTPs now is in the best interest of our users and developers.
I love the "over the past few weeks" Facebook determined they needed a more secure system. The Symantec report that the security company was going to make public didn't factor into it, right? This move by Facebook is purely a face-saving one, despite the fact that the social network should have put this in place instead of pretending that it took user security seriously. We all know that Facebook always wanted to give advertisers user information, so why should we believe this was all accidental?