Facebook denies privacy breach allegations by Symantec

No personal data could have been passed to third parties, company says

Facebook today denied that it may have accidentally exposed personal user data to advertisers and other third parties for several years, as claimed this week by two security researchers at Symantec Corp.

The researchers in a blog post Tuesday noted that a Facebook programming error -- since fixed -- could have allowed advertisers to access member profiles, photographs and chat messages and to post messages and mine personal data from them.

According to Symantec, the leaks stemmed from a faulty API used by developers of Facebook applications. It caused "hundreds of thousands" of Facebook applications to accidentally expose the so-called access tokens that are granted by users to Facebook applications. "Each token or 'spare key' is associated with a select set of permissions, like reading your wall, accessing your friend's profile, posting to your wall, etc.," the researchers said.

Any third party or advertiser associated with an application developer that had used the faulty API would have had access to the tokens, allowing them to perform whatever actions the tokens allowed. While it's unclear how many advertisers even knew what was going on, the potential repercussions of the data leaks are "far and wide," Symantec claimed.

But Facebook downplayed the issue and argued that Symantec's report has a "few inaccuracies."

"We appreciate Symantec raising this issue and we worked with them to address it immediately," Facebook spokeswoman Malorie Lucich said in an emailed comment. But, "specifically, no private information could have been passed to third parties, and the vast majority of tokens expire within two hours," she said.

"The report also ignores the contractual obligations of advertisers and developers, which prohibit them from obtaining or sharing user information in a way that violates our policies," Lucich said.

She added that Facebook has no evidence of information being used in a way that violates company policies. "We take any potential issue seriously and quickly took steps to prevent this from happening again."

A Symantec spokesman this afternoon said the company still believes its original report is accurate, but did not comment further.

Kevin Haley, director at Symantec security response said that while it's likely that third-parties had not noticed the leak, it would be hard to say for sure whether someone noticed it and took advantage of it.

The issue is unlikely to improve Facebook's already battered reputation on the privacy front. The company has been at the center of numerous privacy related issues over the past couple of years.

Last October, for instance, the company found itself in the middle of a major firestorm after the Wall Street Journal reported that several popular Facebook applications such as FarmVille, Texas HoldEm Poker and FrontierVille had been secretly sending user information to advertisers.

Last year, the company was also hit with a lawsuit after some members claimed that changes the company made to its privacy settings made it even harder for users to control access to their personal data.

"This breach does not surprise me, because I've seen its like before in Facebook and in other Web sites [and] platforms," said Chris Palmer, technology director at the Electronic Frontier Foundation. "Although this bug might quite likely be an accident, it is not the first of its kind in Facebook."

Providing advertisers with detailed profiles of Facebook users has been part of Facebook's business model, he said. "Therefore we can expect for this kind of security failure to arise again," he said. "The business model requires Facebook to walk a fine line between keeping advertisers happy and not angering too many users."

Jeffrey Chester, executive director of the Center for Digital Democracy (CDD), said Facebook is working with a growing list of third parties who are in the business of collecting Facebook user information. "The company has the data collection for ad targeting spigot turned on -- so it's not a surprise that user information is leaking out to the others," Chester said.

"Facebook needs more than a digital plumbing job -- it needs to put a privacy policy in place that allows its members to actually control their information," Chester said.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is jvijayan@computerworld.com.

Read more about privacy in Computerworld's Privacy Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags symantecsecurityWeb 2.0 and Web AppsFacebookprivacy

More about Electronic Frontier FoundationFacebookSymantecTopicWall Street

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place