Facebook denies Symantec’s privacy breach claims
Symantec claims a Facebook programming error, which has since been fixed, could have allowed advertisers to access member profiles, photographs and chat messages, and mine personal data from them.
According to Symantec, the leaks stemmed from a faulty API used by developers of Facebook applications, causing “hundreds of thousands” of apps to accidently expose “access tokens”.
“Each token or ‘spare key’ is associated with a select set of permissions, like reading your wall, accessing your friend’s profile, posting to your wall, etc,” Symantec says.
“Any third party or advertiser associated with an application developer that had used the faulty API would have had access to the tokens, allowing them to perform whatever actions the tokens allowed.”
“While it’s unclear how many advertisers even knew what was going on, the potential repercussions of the data leaks are far and wide.”
A Facebook spokesperson said in a statement that no private information could have been passed to third parties, and the vast majority of tokens expire within two hours.
“[Symantec] also ignores the contractual obligations of advertisers and developers, which prohibit them from obtaining or sharing user information in way that violates our policies,” the spokesperson said.
Symantec still believes its claims are accurate and says while it’s likely that third parties haven’t noticed the leak, it would be hard to detect whether someone had noticed it and taken advantage of it.
In a bid to curb cybercrime in Australia, Symantec recently teamed up with the Australian Federal Police to help raise consumer awareness of the issue.
According to Symantec’s 2010 Norton Cybercrime Report, 65% of adults worldwide have already fallen victim to cybercrime, while in Australia the statistic is slightly higher at 69%.
Craig Scroggie, Symantec vice president and managing director of the Pacific region, says cybercrime has become a “silent and global digital epidemic”.
“At the heart of this issue are cybercriminals making a fortune through the online black market – trading credit card details, banking details, even entire identities,” Scroggie says.
The AFP advises users to take the following security measures:
- Install security software and update it regularly.
- Turn on automatic updates so that all your software receives the latest fixes.
- Get a stronger password and change it at least twice a year.
- Stop and think before you click on links or attachments.
- Stop and think before you share any personal or financial information.
- Never respond to emails or cold calls purporting to be from banks or financial institutions.