Threat Level: green Handler on Duty: Renato Marinho

SANS ISC: Time to change your facebook password? - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Time to change your facebook password?

Facebook and privacy, they seem contradictory at times, yet it's used by about 500 million users for stuff that they might want to keep a bit private in the end.

According to Symantec and El Reg, there is a problem that allowed apps to leak access tokens that remain valid. Apparently there are 100,000 apps that leak these tokens and they might sit in log files of e.g. advertisers waiting to be abused.

The good news is that we can do something to invalidate the access tokens: change our password!

So for those not knowing where to change the facebook password: it's in the upper right the "account" menu: choose "Account Settings" and then the 4th change is for the password.

Facebook, to their credit seems to have reacted as well and is going to move away from the older access tokens.

--
Swa Frantzen -- Section 66

Swa

760 Posts
Your password was not exposed by the tokens.

What is.. or was exposed is your profile, likes, favorites, events, friends, pages and pictures.

The biggest risk is that an app could post a like for something you didn't like.. and since likes can go outside of Facebook and execute just about anything this opens you up to an attack via a redirect. There are STILL 100,000 apps that use the old authentication methods and these apps CAN cause havoc. I personally do not run any app on FB just because they are what they seem to be... APPS that RUN that may have been created by ADVERTISING CRIME LORDS!

Be safe, Al
Al of Your Data Center

80 Posts
The reason for changing your password is that Facebook invalidates all access tokens to an account when you change your password, even those with theoretically infinite duration.
Al of Your Data Center
1 Posts

Sign Up for Free or Log In to start participating in the conversation!