Skip to main content

Facebook removes API bug allowing third party access to personal data — change your password to be safe

Facebook removes API bug allowing third party access to personal data — change your password to be safe

Share this story

If you buy something from a Verge link, Vox Media may earn a commission. See our ethics statement.

The strange bedfellows known as Facebook and privacy concerns are once again entangled. I'll spare you the nitty-gritty details, but it goes something like this: according to Symantec, apps that still used certain bits of legacy code would send access tokens — literally, a string of code that would allow access to your profile — through the URL to the app host. Which could, in term, be sent to third-party advertisers (or anyone, for that matter) and grant them access to user information or even let them perform actions (e.g. wall posts) on behalf of the user. Symantec estimates almost 100,000 of these apps exist and that "over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties."

When asked for comment, Facebook told me that the company conducted a thorough investigation that showed no evidence of this private information being shared with unauthorized third parties. The spokesperson also wanted to stress the "contractual obligations of advertisers and developers which prohibit them from obtaining or sharing user information." The company announced on its developer blog today the offending API has been removed and outlined some details on its transition to the more secure OAuth 2.0.

So there's no reports of misuse, but all the same, it wouldn't be a bad idea to change your Facebook password — that should invalidate the older tokens, just in case.