Facebook “Spare Key” Security Flaw Existed For Years
Facebook user information was passed along to advertisers and third parties for years according to a Symantec report passed along to the social network last month.
The issue occurred when more than 100,000 Facebook applications accidentally passed along user access tokens. Those tokens, known as a “spare key” could then be used to access a users account, allowing third parties to post info to a user’s wall and access other parts of their accounts.
Anyone with access to an access token would also be able to mine for personal information, gain access to a user’s friends’ profiles and access other parts of a users accounts, however no reported evidence of such events occurring were reported, in fact it’s believed that third parties were not even aware that they were receiving the extra information.
In a blog post on their website Symantec wrote:
“We fear a lot of these tokens might still be available in log files of third-party servers or still being actively used by advertisers.”
Facebook for their part says they fixed the issue last month when it was first reported to them by Symantec, however users who still fear their information may have been compromised can simply change their Facebook password to invalidate the token.