Facebook User Credentials Exposed

Regardless of the numerous guides to Facebook members on maintaining privacy, caution is thrown to the wind when yet a new Farm-ish game, a cause to support or some other enticing Facebook application comes along.

Unfortunately, it has been discovered by Symantec that in certain cases, Facebook IFRAME applications have inadvertently leaked access tokens to third parties.  According to the analysis completed by Symantec, as of last month there were almost 100,000 applications enabling the leakage of access tokens. 

The referenced "access token" leakage means that the keys containing permissions; such as, accessing your friend's list, posting on your wall, and seeing any personal information you allowed the application have likely been provided to advertisers or analytic programs.

According to the Facebook Developer Blog, steps are being taken to transition Facebook applications from the old Facebook authentication system and HTTP to OAuth 2.0.  (OAuth 2.0 is a process of providing third-party applications limited access and HTTPS.)

Recommendations

1. Change your Facebook password since this step automatically clears all previously issued access tokens.
   
2. Turn on Security Browsing (HTTPS):

• Navigate to your Account Settings page. 
• Click the "Change" link next to Account Security
• Check the box under "Secure Browsing (https)" and then click the "Save" button.

References

• Developer Roadmap Update: Moving to OAuth 2.0 + HTTPS
• Facebook Applications Accidentally Leaking Access to Third Parties

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...