Facebook to work with GitHub to replace leaked API access tokens

Facebook

The Meta security team announced today an official partnership with GitHub through which the two teams will work together to invalidate Facebook API access tokens that have accidentally been uploaded and leaked inside GitHub repositories.

The partnership is part GitHub Secret Scanning, a GitHub security feature that scans all new code uploaded on the GitHub platforms for strings that look like passwords and access tokens.

If these strings match a known format, GitHub alerts the project owner about the accidental exposure.

Formally launched in March this year, GitHub added support for detecting Facebook API tokens a month later, in April 2021.

But today, Meta (Facebook’s new corporate name) said it officially partnered with GitHub, and the two companies will work together going forward.

The change is that instead of notifying the user about the Facebook access token leak, GitHub will now also send details about exposed tokens to Meta as well.

“Access tokens with a valid session will be automatically invalidated,” a Meta spokesperson said today. “When an access token is invalidated, the app admin will be notified via the Developer Dashboard.”

The partnership comes to help developers as this prevents situations where the exposed token is spotted by a malicious party before the real owner.

Exposed Facebook tokens are a very sensitive matter for Meta, as they can be used to silently harvest Facebook data, extract personal information from a developer’s third-party Facebook app or game, or just send spam and malicious files to regular Facebook users.

The post Facebook to work with GitHub to replace leaked API access tokens appeared first on The Record by Recorded Future.

Article Link: Facebook to work with GitHub to replace leaked API access tokens - The Record by Recorded Future