Security firm Symantec has discovered a security flaw in Facebook that inadvertently gives advertisers and other outside parties access to people's accounts. But Facebook said it has fixed the problem and found no evidence that any private information was shared with any outside party.
Symantec said Tuesday that the outside parties may not even have realized that they were able to access users' profiles, photos and chats.
The problem was leaking "access tokens," which are akin to spare keys that let apps access your profile if you gave them permission, Symantec researcher Nishant Doshi said in a blog post.
Doshi estimates that some 100,000 applications were enabling the data leak as of April. Over the years, however, hundreds of thousands of applications may have accidentally leaked millions of access tokens to outside parties.
Most of the access tokens used on Facebook expire after two hours. But Doshi said an application can also request and use offline access tokens, which are valid until users change their passwords.
The leaky apps had been using an old version of Facebook's authentication method. The current one doesn't have this problem, and Facebook is moving app makers to the new system, said Kevin Haley, director of security response at Symantec.
Users who are concerned can change their Facebook passwords, which has the effect of changing the lock on a Facebook profile. But Haley said users shouldn't be overly worried.
"The potential is very large but we have no evidence that anyone did anything with this capability," he said.
In a prepared statement, Facebook said its advertisers and developers are prohibited from obtaining or sharing user information in a way that violates the company's policies.