printer friendly version

BitDefender offers insights into recently discovered Facebook vulnerability

Security provider advises users on how to stay protected against future after Facebook vulnerabilities.

Symantec recently discovered a security vulnerability that affected the way third-party programs, such as games and other applications, accessed user data and information. According to BitDefender, the entire issue is related to OAUTH, the secure authorisation protocol, and the use of some deprecated parameters by different applications which are still not updating from OAUTH to its latest version, OAUTH2.0.

From this vulnerability, third parties, such as advertisers can get hold of access tokens, which open Facebook users’ account information (such as basic information, profiles, pictures) and will sometimes give them the ability to perform different actions in the user’s name.

“At the current time, it is unclear whether there actually was a data breach or not. Symantec discovered a security issue and notified Facebook accordingly,” commented Catalin Cosoi, head of the BitDefender Online Threats Lab. “This could mean that the issue was proactively discovered and Facebook fixed it before anyone lost any data. On the other hand, it could mean that it is a known vulnerability in the underground or unethical world and users’ private data has been leaking for some time now.”

Facebook has solved this issue as soon as possible, but this episode teaches all users two main lessons:

(1) applications should have switched to the new authorisation mechanism as soon as possible, and

(2) If any data was leaked, there is not much to be done now, since it is lost for good.

Although it should not be the case here, information extracted from social media can be easily converted into directed attacks, like phishing, highly social engineered spam messages and possibly even identity theft. Users should pay extra attention in the following months when it comes to all messages received and be very careful when asked to perform different actions, even if the messages/requests come from a trusted source.

“This information can be illicitly used by marketers and advertisers in order to better profile their users and to serve ads based on interests and views. As always, a good way for Facebook users to invalidate their current access tokens is for them to change their passwords,” advised Cosoi.

Share this article:

Further reading: