CySecurity News – Latest Information Security and Hacking Incidents
Brave stated that it is prohibiting the installation of the popular Chrome extension L.O.C. because it exposes users’ Facebook data to potential theft. “If a user is already logged into Facebook, installing this extension will automatically grant a third-party server access to some of the user’s Facebook data,” explained Francois Marier, a security engineer at Brave, in a post. “The API used by the extension does not cause Facebook to show a permission prompt to the user before the application’s access token is issued.”
Loc Mai, the extension’s developer, stated in an email that the Graph API on Facebook requires a user’s access token to function. The extension sends a GET request to Creator Studio for Facebook to receive the token, which allows users of the extension to automate the processing of their own Facebook data, such as downloading messages. The request returns an access token to the extension for the logged-in Facebook user, allowing additional programmatic interactions with Facebook data.
Zach Edwards, a security researcher, said, “Facebook faced nearly an identical scandal in 2018 when 50 million Facebook accounts were scrapped due to a token exposure.” Nonetheless, Facebook appears to regard this data dispensing token as a feature rather than a bug.
According to Mai, his extension does not harvest information, as stated in the extension’s privacy policy. Currently, the extension has over 700,000 users. “The extension does not collect the user’s data unless the user becomes a Premiu
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: