

Facebook Leaks Access Tokens, Exposes Private User Data to Advertisers - mwbiz
http://www.eweek.com/c/a/Security/Facebook-Leaks-Access-Tokens-Exposes-Private-Data-to-Advertisers-416736/

======
mpobrien
>Most access tokens expire in two hours, but some tokens work offline and
remain valid until the user changes the password, Doshi said.

FB users can just go into their authenticated applications list and revoke
access tokens on a per-application basis. Changing passwords shouldn't be
necessary - that's the whole point of access tokens.

~~~
ceejayoz
Not only is it unnecessary, it won't do anything. One of the big _points_ of
access tokens is that they survive password changes, so a user can change
their credentials and not have to reauthorize a few dozen apps.

~~~
tantalor
"If the user changes their password, the access token expires"
[<http://developers.facebook.com/docs/authentication/>]

~~~
ceejayoz
That's not the case if `offline_access` has been requested.

------
Titanous
TL;DR: An old Facebook auth system included access tokens in app iframe URLs,
which were subsequently leaked through the referrer to app advertisers,
analytics, etc.

------
VladRussian
>Certain Facebook applications are leaking “access tokens” to third parties,
such as advertisers, giving them access to personal-profile data ...

we all are sure that Facebook did it unintentionally, just by [technical]
mistake.

~~~
ceejayoz
The leak looks wholly unintentional. No conspracy theories necessary.

------
eridius
If I haven't visited facebook.com in months, am I safe?

