

Symantec says change your Facebook password now - ashwinraghav
http://www.ubergizmo.com/2011/05/symantec-says-change-your-facebook-password-now/

======
anon1385
Original source: [http://www.symantec.com/connect/blogs/facebook-
applications-...](http://www.symantec.com/connect/blogs/facebook-applications-
accidentally-leaking-access-third-parties)

------
pavel_lishin
So, does changing your password instantly lock out every web-app that I've
connected to my Facebook account? Or merely the stupid ones that allow me to
ask my Friends what their favorite flavor of ice cream is?

------
sanj
What's glossed over here is that this is _only_ an issue if you're allowed the
offline_access extended permission:

From the article:

 _By default, most access tokens expire after a short time, however the
application can request offline access tokens which allow them to use these
tokens until you change your password, even when you aren’t logged in._

Further, Facebook explicitly revokes tokens when you change your password.

~~~
joe_the_user
_Further, Facebook explicitly revokes tokens when you change your password._

Do you have a reference for that? Seriously, I'm working on Oauth stuff and I
would like as much information as possible.

~~~
teej
Under "Using The Access Token"

    
    
        If the user changes their password, the access token expires
        or the user deauthorizes your app in the App Dashboard, the 
        Graph API will issue an HTTP 400 and return the error in the 
        body of the response:
    

from <http://developers.facebook.com/docs/authentication/>

------
joe_the_user
As far as I know, an Oauth token should independent of one's password (that
is, in fact, their purpose).

If there are Oauth tokens giving excess permission floating around, I assume
the proper approach would be to remove permission from the your various apps
and then give it to them again.

But what do I know? Well, other than Facebook's own documentation and Oauth
documentation?

~~~
jwatzman
My understanding is that this was a bug with the previous authentication
scheme, _before_ they rolled out OAuth. Changing your password revokes old
tokens for all authentication schemes and thus mitigates the problem.

------
drivebyacct2
Oooh, it was going so well and then they snarkily implied that security is
increased by regular password rotation. Sad.

