Symantec has published a report claiming that for several years nearly 100,000 Facebook apps have been leaking access codes belonging to millions of users' profiles.
Symantec's report says that an app security flaw may have given advertisers and other third parties access to Facebook users' profiles, though a Facebook spokesperson said in a statement that there is "no evidence" of this occurring.
We estimate that as of April 2011, close to 100,000 applications were enabling this leakage. We estimate that over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties.
Symantec compares these "access tokens" to spare keys that let apps interact with your profile.
For example, access tokens are often used if you'd like an app to automatically post game updates on your wall. You give apps permission to access certain parts of your profile, and the Facebook app functions according to those constraints.
According to Symantec's investigation, these tokens were included in URLs sent to the application host and were then sent to advertisers and analytics platforms. If the recipient recognized the codes, they'd be able to gain access to users' walls, profiles and more.
Facebook announced on Tuesday the app flaw has been patched, but Symantec still recommends that Facebook users change their passwords immediately.
Unlike last year's controversy over apps allegedly selling personal data to third parties, Symantec says that this time around, many third-party developers may not have known that they had access to users' accounts.
Nevertheless, Kevin Purdy, Facebook's director of developer relations, stated that the use of this personal data would be a violation of Facebook's developer policies.
A Facebook spokesperson offered the following statement to the Huffington Post:
We appreciate Symantec raising this issue and we worked with them to address it immediately. Unfortunately, their resulting report has a few inaccuracies. Specifically,we've conducted a thorough investigation which revealed no evidence ofthis issue resulting in a user's private information being shared with unauthorized third parties. In addition, this report ignores the contractual obligations of advertisers and developers which prohibit them from obtaining or sharing user information in a way that violates our policies. Finally, the change we announced today on our developer blog http://bit.ly/mebicS removes the outdated API referred to in Symantec's report.
Read Symantec's full report here.