Facebook denies privacy breach allegations by Symantec
No personal data could have been passed to third parties, company says
Computerworld - Facebook today denied that it may have accidentally exposed personal user data to advertisers and other third parties for several years, as claimed this week by two security researchers at Symantec Corp.
The researchers in a blog post Tuesday noted that a Facebook programming error -- since fixed -- could have allowed advertisers to access member profiles, photographs and chat messages and to post messages and mine personal data from them.
According to Symantec, the leaks stemmed from a faulty API used by developers of Facebook applications. It caused "hundreds of thousands" of Facebook applications to accidentally expose the so-called access tokens that are granted by users to Facebook applications. "Each token or 'spare key' is associated with a select set of permissions, like reading your wall, accessing your friend's profile, posting to your wall, etc.," the researchers said.
Any third party or advertiser associated with an application developer that had used the faulty API would have had access to the tokens, allowing them to perform whatever actions the tokens allowed. While it's unclear how many advertisers even knew what was going on, the potential repercussions of the data leaks are "far and wide," Symantec claimed.
But Facebook downplayed the issue and argued that Symantec's report has a "few inaccuracies."
"We appreciate Symantec raising this issue and we worked with them to address it immediately," Facebook spokeswoman Malorie Lucich said in an emailed comment. But, "specifically, no private information could have been passed to third parties, and the vast majority of tokens expire within two hours," she said.
"The report also ignores the contractual obligations of advertisers and developers, which prohibit them from obtaining or sharing user information in a way that violates our policies," Lucich said.
She added that Facebook has no evidence of information being used in a way that violates company policies. "We take any potential issue seriously and quickly took steps to prevent this from happening again."
- 3 privacy violations you shouldn't worry about
- U.S. commercial drone industry struggles to take off
- Snowden leaks erode trust in Internet companies, government
- NSA phone metadata collection program renewed for 90 days
- NSA isn't evil, says noted civil libertarian
- Franken presses Ford on location data collection practices
- Justices let stand appeals court decision on border searches of laptops
- California lawmakers move to bar state help to NSA
- Appeals court again nixes Google's bid to overturn Street View case
- Older Mac webcams can spy without activating warning light
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts