In spite of its tremendous success and popularity overall, Facebook’s black mark—a tarnish that it has never managed to eradicate entirely—has been that of keeping its users’ private data, well… private.
The black mark may be rearing its ugly head again, according to security software maker Symantec Corp’s blog post yesterday.
Third parties, in particular advertisers, have accidentally had access to Facebook users’ accounts including profiles, photographs, chat, and also had the ability to post messages and mine personal information.
Symantec has discovered that in certain cases, Facebook IFRAME applications inadvertently leaked access tokens to third parties like advertisers or analytic platforms. We estimate that as of April 2011, close to 100,000 applications were enabling this leakage. We estimate that over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties.
These access tokens grant permissions, such as posting to your wall or accessing a friend’s profile.
Symantec says it reached out to Facebook, “who has taken corrective action to help eliminate this issue.” Of course, we’ve heard that story before—sweep it under the rug until it crawls back out.