The research from Symantec's Nishant Doshi found that Facebook users' profiles, photographs, chats and other personal data had been leaking to application developers, many of whom are advertisers.
"Fortunately, these third-parties may not have realised their ability to access this information. We have reported this issue to Facebook, who has taken corrective action to help eliminate this issue", he says in his latest security blog.
According to Doshi, his research team has that - under certain conditions Facebook iFrame applications inadvertently leaked access tokens to third parties like advertisers or analytic platforms.
"We estimate that as of April 2011, close to 100,000 applications were enabling this leakage. We [also] estimate that over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties", he noted.
Doshi says that access tokens are like 'spare keys' granted by you to the Facebook application.
Applications, he adds, can use these tokens or keys to perform certain actions on behalf of the user or to access the user's profile.
Each token is associated with a select set of permissions, like reading your wall, accessing your friend's profile, posting to your wall and so on, he notes.
In a detailed breakdown of how the flaw can be exploited, the Symantec researcher notes that, whilst most access tokens expire after a short time, the application can request offline access tokens which allow them to use these tokens until you change your password, even when you are not logged into Facebook.
"Needless to say, the repercussions of this access token leakage are seen far and wide. Facebook was notified of this issue and has confirmed this leakage. Facebook notfied us of changes on their end to prevent these tokens from getting leaked", he says.