Facebook accidentally left a door open for advertisers to access profiles, pictures, chat and other private data at the social network, US computer security firm Symantec says.

Symantec discovered that certain Facebook applications leaked tokens that act essentially as “spare keys” for accessing profiles, reading messages, posting to walls or other actions.

Facebook applications are web software programs that are integrated onto the leading online social network’s platform. Symantec said that 20 million Facebook applications such as games are installed every day.

The tokens were being leaked to third-party applications including advertisers and analytics platforms allowing them to post messages or mine personal information from profiles, according to Nishant Doshi of Symantec.

“Fortunately, these third-parties may not have realized their ability to access this information,” Doshi said in a blog post.

“We have reported this issue to Facebook, who has taken corrective action to help eliminate this issue.”

Symantec estimated that as of April, nearly 100,000 applications were giving away keys to Facebook profiles.

“We estimate that over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties,” Doshi said.

Facebook confirmed the problem, which was discovered by Doshi and Symantec colleague Candid Wueest, according to the computer security firm.

There was no reliable estimate of how many tokens have been leaked since the release of Facebook applications in 2007.

Despite whatever fix Facebook has put in place, token data may still be stored in files on third-party computers, Symantec warned.

“Concerned Facebook users can change their Facebook passwords to invalidate leaked access tokens,” Doshi said.

“Changing the password invalidates these tokens and is equivalent to ‘changing the lock’ on your Facebook profile.”

Traffic destined for Facebook from AT&T’s servers took a strange loop though China and South Korea on Tuesday, according to a security researcher.

As Barrett Lyon wrote on his blog, typically AT&T customers’ data would have routed over the AT&T network directly to Facebook’s network provider but due to a routing mistake, their private data went first to Chinanet then via Chinanet to SK Broadband in South Korea, then to Facebook. This means that anything you looked at via Facebook without encryption was exposed to anyone operating Chinanet, which has a very suspect Modus operandi.

Route to Facebook from AT&T on 22^nd March 2011 :

route-server>show ip bgp 69.171.224.13 (Facebook’s www IP address)
BGP routing table entry for 69.171.224.0/20, version 32605349
Paths: (18 available, best #6, table Default-IP-Routing-Table)
Not advertised to any peer
7018 4134 9318 32934 32934 32934

The AS path (routing path) translates to this:
1. AT&T (AS7018)
2. Chinanet (Data in China AS4134)
3. SK Broadband (Data in South Korea AS9318)
4. Facebook (Data back to US 32934)

What could have happened with your data? Most likely absolutely nothing. Yet, China is well known for it’s harmful networking practices by limiting network functionality and spying on its users, and when your data is flowing over their network, your data could be treated as any Chinese citizens’. Does that include capturing your session ID information, personal information, emails, photos, chat conversations, mappings to your friends and family, etc.? One could only speculate, however it’s possible.

This happens all the time — the Internet is just not a trusted network.

One way to prevent this from happening to your account: Enable HTTPS.

In January, Facebook rolled out the HTTPS feature to all browsing done on the site, but it’s opt-in an not automatic setting. Previously, Facebook used HTTPS only when you entered in your password.

To enable this security feature, go to – Account Settings >> Account Security
Click “change”. Check mark “Browse Facebook on a secure connection (https) whenever possible”.