Symantec today warned that advertisers, analytic platforms, and other third parties may be able to access Facebook users' personal information using inadvertently leaked application tokens. The security company advised Facebook users to change their passwords on the social networking site in order protect their accounts from being mined.
Facebook said it has fixed a year-old flaw, reported by Symantec, that caused iframe applications to inadvertently leak access tokens. Those tokens can be used maliciously to get at users' profiles, photographs, and chats, as well as for posting messages -- which could include links to malware sites -- to their Facebook pages.
Facebook's fix, however, has only stopped the leak; the aforementioned tokens still reside in log files of third-party servers or are still being actively used by advertisers. Symantec estimated that as of April of this year, close to 100,000 applications were enabling the leakage: "We estimate that over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties.
"Concerned Facebook users can change their Facebook passwords to invalidate leaked access tokens. Changing the password invalidates these tokens and is equivalent to 'changing the lock' on your Facebook profile," according to Symantec.
Details of how the leak works is viewable in Symantec's blog.