In case you haven't heard yet, Symantec found that Facebook applications could have been leaking 'user access tokens' (what lets an application access pictures, post messages, etc) to 3rd parties. Just to be clear, the applications do not have your password, nor did they leak passwords.
When you install an application, you have give that app permissions... when you do this, the application gets what Symantec has called a spare-key. This is the token that lets the app do things like post messages on your wall, send requests to friends - stuff like that. Some applications were written that told FB to send the token in the URL, and he application might also use the token in URLs sent to advertisers.
Facebook has since fixed the issue that let this happen, but they can't go out and find all the places the tokens might be stored or used.
what can you do? change you password! and of course, you all know to use a strong password.
This works a bit like re-keying a lock... the old spare-keys that we leaked out with URLs (and possibly stored in logs or by advertisers) will no longer work. The applications will still work - they will get a new spare key, but the issue that let them leak the info has been fixed.
if you want the full gory details, check out the Symantec post
No comments:
Post a Comment