[TheRecord] Facebook to work with GitHub to replace leaked API access tokens

The Meta security team announced today an official partnership with GitHub through which the two teams will work together to invalidate Facebook API access tokens that have accidentally been uploaded and leaked inside GitHub repositories.

The partnership is part GitHub Secret Scanning, a GitHub security feature that scans all new code uploaded on the GitHub platforms for strings that look like passwords and access tokens.

If these strings match a known format, GitHub alerts the project owner about the accidental exposure.

Formally launched in March this year, GitHub added support for detecting Facebook API tokens a month later, in April 2021.

But today, Meta (Facebook’s new corporate name) said it officially partnered with GitHub, and the two companies will work together going forward.

The change is that instead of notifying the user about the Facebook access token leak, GitHub will now also send details about exposed tokens to Meta as well.

“Access tokens with a valid session will be automatically invalidated,” a Meta spokesperson said today. “When an access token is invalidated, the app admin will be notified via the Developer Dashboard.”

The partnership comes to help developers as this prevents situations where the exposed token is spotted by a malicious party before the real owner.

Exposed Facebook tokens are a very sensitive matter for Meta, as they can be used to silently harvest Facebook data, extract personal information from a developer’s third-party Facebook app or game, or just send spam and malicious files to regular Facebook users.

The post Facebook to work with GitHub to replace leaked API access tokens appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[HackerNews] Apache Warns of Zero-Day Exploit in the Wild — Patch You Web Servers Now!

All posts, HackerNews

Apache has issued patches to address two security vulnerabilities, including a path traversal and file disclosure flaw in its HTTP server that it said is being actively exploited in the wild. “A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack […]

Read More

[SANS ISC] ISC Stormcast For Friday, August 20th, 2021 https://isc.sans.edu/podcastdetail.html?id=7638, (Fri, Aug 20th)

All posts, Sans-ISC

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Source: Read More (SANS Internet Storm Center, InfoCON: green)

Read More

[SANS ISC] “Serverless” Phishing Campaign, (Sat, May 22nd)

All posts, Sans-ISC

The Internet is full of code snippets and free resources that you can embed in your projects. SmtpJS is one of those small projects that are very interesting for developers but also bad guys. It’s the first time that I spot a phishing campaign that uses this piece of JavaScript code. To launch a phishing campaign, […]

Read More