Facebook apps have leaked access to private data, Password change advised

Status
Not open for further replies.
G

Gaurish

Galvanizer
Not sure how much severe is the situation but its good idea to change your password. I have changed my password on facebook. I advice you should do the same ;)

Security researchers discovered that Facebook leaked user access tokens to advertisers, exposing their chat, photos and profiles. Facebook says there's no evidence any such data was used, but the security guys suggest changing your password, and you should probably listen.

Researchers at security software firm Symantec discovered a bug in the process by which some Facebook applications obtain ask permission to access your data. After you approve an application, it seems, the access code intended only for the application can be exposed to advertisers, analytics companies and other third parties embedded on the application's own pages. These tokens, which have been given out in an insecure manner in up to 1000,000 applications since 2007 (!), can provide access to your Facebook data until you change your password, which is why Symantec says "concerned Facebook users can change their Facebook passwords to invalidate leaked access tokens."
Click to expand...

Why You Should Probably Change Your Facebook Password
 
That's the only reason, I don't access any 'timepass' FB apps.. wonder people use all the apps they come across... prediction, weather, name meaning, favorite color, best friends and what not..
 
Just don't use noob apps guys. Btw thank god my facebook password is unique to that site only.

Sent from my GT-I5801 using Tapatalk
 
Apps are the reason why Facebook is gonna do this

As part of these efforts to make our Platform more secure, we have been working to transition apps from the old Facebook authentication system and HTTP to OAuth 2.0 (an open standard co-authored with Yahoo, Twitter, Google, and others) and HTTPS. Because of the number of apps using our legacy auth system, we need to be thoughtful about this transition. Over the past few weeks, we determined that OAuth is now a mature standard with broad participation across the industry. In addition, we have been working with Symantec to identity issues in our authentication flow to ensure that they are more secure. This has led us to conclude that migrating to OAuth & HTTPs now is in the best interest of our users and developers.
Click to expand...

@Gaurish thanks for sharing this i am soon gonna change my FB password too... :)
 
Your password was not leaked, only the access token.

So, you only need to change it on FB, that too only if you provided offline access to any application

Tip: If you dont use any applications, switch over to https mode. It prevents many of the malicious javascript attacks as well
 
I used some stupid android application and someone from the Netherlands logged into mine, then I got the security emails from Facebook & I changed my pass.

Sent from my Nexus One using Tapatalk
 
malhotraraul said:
I used some stupid android application and someone from the Netherlands logged into mine, then I got the security emails from Facebook & I changed my pass.

Sent from my Nexus One using Tapatalk
Click to expand...
I dont think a person from the Netherlands logged in to your account. The application that you used, its proxy server must have had been based in the Netherlands.
Thats why when the application tried to access Facebook using your credentials, FB showed you the security notification.
It is not a security breach. It is just that the application was trying to access some private data which it needed to function properly.

Example : On using Snaptu and chat applications like eBuddy or Nimbuzz, you have to verify their usage manually on FB before they are allowed to access any FB data of your account.
 
hotshot05 said:
I dont think a person from the Netherlands logged in to your account. The application that you used, its proxy server must have had been based in the Netherlands.

Thats why when the application tried to access Facebook using your credentials, FB showed you the security notification.

It is not a security breach. It is just that the application was trying to access some private data which it needed to function properly.

Example : On using Snaptu and chat applications like eBuddy or Nimbuzz, you have to verify their usage manually on FB before they are allowed to access any FB data of your account.
Click to expand...

The app could have stolen the username/password.. its a possibility
 
mehrotra.akash said:
The app could have stolen the username/password.. its a possibility
Click to expand...
Yes it was compromised & I still have that email but buried, i still remember the application being removed off market section.

Forgot which app.

Sent from my Nexus One using Tapatalk
 
Status
Not open for further replies.
Top Bottom