Security News > 2022 > February > Facebook is one bad Chrome extension away from another Cambridge Analytica scandal

Multiple Chrome browser extensions make use of a session token for Meta's Facebook that grants access to signed-in users' social network data in a way that violates the company's policies and leaves users open to potential privacy violations.

Security researcher Zach Edwards last week noted that Brave had blocked a Chrome extension called L.O.C. out of concern it exposed the user's Facebook data to a third-party server without any notice or permission prompt.

Whenever a victim installs your Chrome extension and is signed into Facebook, the extension obtains one of these tokens on the victim's behalf to silently access their Facebook data via the social network's Graph API. The extension then exfiltrates the victim's data to a remote server.

There are parallels here: you hope that a quiz app won't share your Facebook profile info with others, and you hope a Chrome extension avoids that, too.

Though Facebook vowed to put in place measures to prevent another Cambridge Analytica fiasco, the Creators Studio access tokens in the hands of a malicious and widely installed Chrome extension could lead to a repeat of history.

The internet giant's spokesperson reiterated that the company regularly takes action to enforce its policies and noted that Facebook previously sent a cease and desist letter to the developer of the L.O.C. extension and banned him from the platform - though that's done nothing to disable the extension.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/02/17/chrome_meta_token/