Facebook Applications Accidentally Leaking Access to Third Parties – Updated

Third parties, in particular advertisers, have accidentally had access to Facebook users’ accounts including profiles, photographs, chat, and also had the ability to post messages and mine personal information. Fortunately, these third-parties ma…

Third parties, in particular advertisers, have accidentally had access to Facebook users’ accounts including profiles, photographs, chat, and also had the ability to post messages and mine personal information. Fortunately, these third-parties may not have realized their ability to access this information. We have reported this issue to Facebook, who has taken corrective action to help eliminate this issue.

Facebook applications are Web applications that are integrated onto the Facebook platform. According to Facebook, 20 million Facebook applications are installed every day.

Symantec has discovered that in certain cases, Facebook IFRAME applications inadvertently leaked access tokens to third parties like advertisers or analytic platforms. We estimate that as of April 2011, close to 100,000 applications were enabling this leakage. We estimate that over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties.

Access tokens are like ‘spare keys’ granted by you to the Facebook application. Applications can use these tokens or keys to perform certain actions on behalf of the user or to access the user’s profile. Each token or ‘spare key’ is associated with a select set of permissions, like reading your wall, accessing your friend’s profile, posting to your wall, etc.

Figure 1. illustrates some of these permissions.

Figure 1

During the application installation process, the application requests the user to grant permissions to these actions. Upon granting these permissions, the application gets an access token as seen in Figure 2.

Figure 2

Using this access token, the application can now access the user’s information or perform actions on behalf of the user.

By default, most access tokens expire after a short time, however the application can request offline access tokens which allow them to use these tokens until you change your password, even when you aren’t logged in.

How does the access token get leaked?

By default, Facebook now uses OAUTH2.0 for authentication. However, older authentication schemes are still supported and used by hundreds of thousands of applications. When a user visits apps.Facebook.com/appname , Facebook first sends the application a limited amount of non-identifiable information about the user, such as their country, locale and age bracket. Using this information, the application can personalize the page.

The application then needs to redirect the user to a permission dialog page, as seen here.

Figure 3

The application uses a client-side redirect for redirecting the user to the familiar application permission dialog box. This indirect leak could happen if the application uses a legacy Facebook API and has the following deprecated parameters, "return_session=1" and "session_version=3", as part of their redirect code, as seen in Figure 4.

Figure 4

If these parameters are used, Facebook subsequently returns the access token by sending an HTTP request containing the access tokens in the URL to the application host.

 The Facebook application is now in a position to inadvertently leak the access tokens to third parties potentially on purpose and unfortunately very commonly by accident. In particular, this URL, including the access token, is passed to third-party advertisers as part of the referrer field of the HTTP requests.

For example, if this application’s first page was requesting resources from an external URL using an iframe tag from an advertiser, then the access token will get leaked in the referrer field. This is illustrated in Figure 5.

Figure 5


Needless to say, the repercussions of this access token leakage are seen far and wide. Facebook was notified of this issue and has confirmed this leakage. Facebook notified us of changes on their end to prevent these tokens from getting leaked.

There is no good way to estimate how many access tokens have already been leaked since the release Facebook applications back in 2007. We fear a lot of these tokens might still be available in log files of third-party servers or still being actively used by advertisers. Concerned Facebook users can change their Facebook passwords to invalidate leaked access tokens. Changing the password invalidates these tokens and is equivalent to “changing the lock” on your Facebook profile.

Nishant Doshi and Candid Wueest from Symantec are credited with the discovery of this issue.

Facebook has recently announced an update to their Developer RoadMap. The details of this update can be found here: https://developers.facebook.com/blog/post/497.

Update May 17th, 2011: For the last several weeks, we've been in touch with Facebook over the risk that certain applications that integrate with Facebook's Platform could have permitted third parties to access information Facebook users had shared with those applications. We would like to reiterate that once the issue was reported to them, Facebook took corrective action to eliminate this risk. To our knowledge, no Facebook users were impacted by this issue. Facebook also just posted the following article for its developers, guiding them towards secure coding standards.

Email Spam Re-produce False News Alerts for “Work From Home” Scams

Scammers have been busy these days generating false news alerts through email spam. In this way, they are trying to advertise their so-called rewarding “work from home” business. They are using names of well known news agencies in the emai…

Scammers have been busy these days generating false news alerts through email spam. In this way, they are trying to advertise their so-called rewarding “work from home” business. They are using names of well known news agencies in the email headers to arouse curiosity in the email reader’s mind. Using these names in the Subject and From headers, they want to give recipients an impression of authenticity. In doing so, users may feel compelled to believe in claims made in the email contents and, of course, to click URLs as well. One of the sample subjects below even goes on to blame the U.S. President Barack Obama and his policies for affecting the unemployed.

Some of the sample headers seen in the attack:

Subject: Yahoo! investigates "impossible" claims.

Subject: Need some money? ITV wants to help

Subject: BBC USA investigates: "Change your life in 60 seconds!"

Subject: Change your life in 60 seconds.

Subject: Obama's policies affecting unemployed

Subject: Yahoo!: Stay-at-home Dad Makes 7,208/Month Part-Time

Subject: Fox investigates "impossible" claims.

Subject: Yahoo! breaking news

Subject: CNN USA investigates latest claim.

Subject: Breaking news for Homemaker Father.

Subject: Fox News investigates latest claim.

Subject: Breaking news for Stay home Mother.

Subject: Homemaker Father claims investigated by TBS

Subject: Need some money? CNN! wants to help






From: "Don't pay a penny." <email address removed>

From: "Fox News: Exclusively for Stay home Mother" <

From: "Don't get scammed, free report." <

From: "Breaking news" <

From: "Yahoo!: "You can't miss this"" <

From: "Free report" <

In the recent past, they used “As seen on Oprah”, “As seen on TV”, or also “ As seen on CNN, ABC, CBS NEWS, NBC, and Oprah” in the email headers and contents. But the difference this time can be seen in the subject which says “BBC USA investigates”, “Fox investigates”, or “Yahoo! breaking news”. If the headers do not have the brand names, the URLs inside the messages may use the names of the news agencies:

[newsagency] [randomnumber]online.com


or domains like:



Some sample messages in the form of images:

As seen in the above examples, they come straight to the point in the content, where users are provided with a Web site promoting schemes to earn money and become rich quickly. On the Web site, there are three steps that a user needs to follow, first of which is to give your personal details like full name, email address, phone number and country. After submitting the details, it guides users to a page where they will be asked to buy a kit. Such Web sites show the normal tempting stuff, like an image showing checks earned, or videos of people benefiting from the scheme. Work-from-home scams work the same way – they simply lure victims into “earn money quick” jobs that require a minimal number of work hours. Scammers further testify the successes of such schemes with the help of images or videos on their Web sites. This can seen as an effort to clear any potential doubts in a potential victim’s mind. Needless to say, these schemes often lead to loss of time and money.

After Osama Bin Laden was killed by U.S. forces last week, online readers wanted to know all the facts of the operation. Therefore, a news alert may be opened without suspicion, or just out of curiosity during this time. These emails were in circulation even before the U.S. raid took place, but looking at the continued format of news alerts, we wanted to keep users informed of this type of spam campaign. Symantec recommends users to follow the standard dos and don’ts published in our monthly Symantec State of Spam Report.

Microsoft buys Skype. What does that mean for security?

Skype is to be acquired by Microsoft for $8.5 billion.

What does that mean for security? Read more…

Editor’s note: Since this article was first published, it has been confirmed that Microsoft has agreed to buy Skype.

If you were paying attention to the rumour-mill last week, you may have heard the story that one of Facebook or Google might well be about to buy Skype.

Scrub that story.

Today’s rumour is that Skype may be about to be acquired by Microsoft. The Wall Street Journal headlined the deal as “near”, and quoted a price between seven and eight billion dollars.

The WSJ cautions, though, that the deal may end up with a value of $8.5 billion when Skype’s long-term debt is taken into account. (When I was in primary school, I thought it was pretty nifty that a negative multiplied by a negative became positive. But nowhere near as nifty as an economist’s trick of adding in a great raft of debt and describing it as increasing value.)

For those not familiar with Skype, it’s an interesting sort of beast – loosely speaking, it’s an internet telephone company without much of a telephone company. Much of its operation is peer-to-peer, so that much of its bandwidth and infrastructure – not unreasonably, you must agree, for its free services – is provided directly by the users of the service.

One uncertainty – indeed, to some, it’s a controversy – about Skype’s proprietary software is whether it includes any sort of “lawful interception” system.

Most countries require landline and mobile phone operators to provide a vehicle by which duly-authorised law enforcement agents can intercept calls on their networks. Indeed, phone carriers spend a lot of money maintaining lawful interception systems, something which is as useful to law enforcement as it is worrying to privacy.

But since most Skype calls are peer-to-peer, and encrypted end-to-end, Skype isn’t a traditional phone carrier. Either it doesn’t have a lawful interception capability – which could be considered unfair to mainstream phone companies, who have to provide one – or, one can argue, it must contain some sort of network-independent backdoor – which could be considered a serious security risk.

So, if the Microsoft deal goes ahead, what’s likely to happen from a software and a security point of view? Here are my guesses:

* The Linux version of the Skype software will wither and die.

* The OS X version of the Skype software may wither and might die.

* Microsoft will add some sort of lawful interception system into the Skype software, assuming there isn’t one already. But they’ll be honest about doing so.

* You’ll need to get a Windows LiveID to create a Skype account.

* Skype will come under greater scrutiny from cybercrooks keen to find saleable vulnerabilities.

* Skype for Windows will come under the Microsoft Active Protections Program, which will balance out or defeat problems caused by the previous issue.

Of course, so far this is just rumour and speculation. And Microsoft’s official comment on rumour and speculation is that it doesn’t comment on rumour and speculation.

Sony’s cloudburst, Facebook controversy, FBI takedown, Armenia cut off – 90 Sec News – April 2011

Don’t just read the latest computer security news – watch it in 90 seconds!

This month: Sony suffers a cloudburst, Facebook courts controversy (again), the FBI busts Coreflood and Armenia gets cut off. Read more…

Don’t just read the latest computer security news – watch it in 90 seconds!

This month: Sony suffers a cloudburst, Facebook courts controversy (again), the FBI busts the Coreflood botnet and Armenia gets cut off from the internet.

Watch and enjoy:

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like.)

Or listen to the podcast:

10 May 2011, duration 2:11 minutes, size 2.1MBytes

Download Podcast