Facebook Caught Exposing Millions of Credentials

fysdt writes "Facebook has leaked photographs, profiles and other personal information for millions of its users because of a years-old bug that overrides individual privacy settings, researchers from Symantec said. The flaw, which the researchers estimate has affected hundreds of thousands of applications, exposed user access tokens to advertisers and others. The tokens serve as a spare set of keys that Facebook apps use to perform certain actions on behalf of the user, such as posting messages to a Facebook wall or sending RSVP replies to invitations. For years, many apps that rely on an older form of user authentication turned over these keys to third parties, giving them the ability to access information users specifically designated as off limits."

Facebook should be fined.

[grahamsaa]

There should be a law requiring a fine for each user who's personal information is compromised as a result of bugs like this. My bet is that if there were, this type of thing would happen far less often. Of course, Facebook isn't the only company guilty of this type of thing -- and I suspect that until there is some serious consequence associated with this type of security hole, most companies won't take it seriously enough.

Bound to happen

[softWare3ngineer]

These types of errors are bound to keep happening. Software is to large to find and fix everything. Not saying that it is right, or developers should give up, or software should generally be more secure than it is. But maybe we as users should keep this in mind when we put anything up on the Internet. Especially when dealing with sites like facebook.

Poisoning the well

[HangingChad]

I assume Facebook is being back-doored by the feds, assume they sell information to advertisers, so the only difference here is that it was unintentional. So I keep my FB profile loaded with inaccurate, out of date information. Just seems like the best way to hide a tree is in a forest of misleading information.