Ramblings of this guy you know!

Tech Stuff and random observations on life as I see it….

The latest reason to change your Facebook password

Symantec’s released a blog post this week announcing the possibilty that web app developers may be mistakenly be leaking access token information that would allow postings to users walls and other areas without the users consent. By default now, all web apps are authenticating using Oauth2 and there is a deadline of 1st September 2011 for all apps to move to the new authentication system..

Symatic stated in their blog that: Third parties, in particular advertisers, have accidentally had access to Facebook users’ accounts including profiles, photographs, chat, and also had the ability to post messages and mine personal information. Fortunately, these third-parties may not have realized their ability to access this information. We have reported this issue to Facebook, who has taken corrective action to help eliminate this issue.

The problem arises when an app uses the old Facebook API. When a user grants account access to a Facebook app it is given an ‘access token’ which it is then able to renew. Symantec said that this access token can be mistakenly inserted into a URL returned by Facebook. It is possible if ads are enabled or analytics are collected then these details will be stored in log files on the anaytics server. If this information is harvested by a nefarious source then malware could be posted via the users wall.

Concerned Facebook users can change their Facebook passwords to invalidate leaked access tokens. Changing the password invalidates these tokens and is equivalent to “changing the lock” on your Facebook profile.

The full Symantic post and a detailed explanation of the process read here…
http://www.symantec.com/connect/blogs/facebook-applications-accidentally-leaking-access-third-parties

Facebook in Syria
While we are talking about Facebook, I heard a disturbing story about how the Syrian government is monitoring their citizens Facebook activity. Back in February they government lifted a five year ban on the use of Facebook but appears to be using a very poor unsigned certificate to spoof the Facebook site and performing a man-in-the-middle data gathering attack of all the unencrypted messages passing through. Disturbingly enough plenty of users (anywhere, not just related tp this story) are quite happy to continue onwards even when recommended not to.

I guess the two things to take away from this to ensure that you maintain your computer security:
1) Always use https to access web resources where possible to encrypt the information
2) If you are given a strange result from a certificate on what should be a trusted site then you should not just click the button to take you there anyway. If possible query it.

Advertisements

One response to “The latest reason to change your Facebook password

  1. Pingback: Recent Tech news articles « Ramblings of this guy you know!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: