PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

PCMag UK

Facebook to Encrypt UIDs After App Security Breach

Chloe Albanesius
 & Chloe Albanesius Executive Editor, News

Our team tests, rates, and reviews more than 1,500 products each year to help you make better buying decisions and get more from technology.

Our Expert
LOOK INSIDE PC LABS HOW WE TEST
65 EXPERTS
43 YEARS
41,500+ REVIEWS

In the wake of reports that popular Facebook applications are transmitting user information to ad networks, Facebook on Thursday announced plans to encrypt user IDs going forward.

Facebook will enable optional encryption over the next few weeks and then work with developers to ensure a complete transition to encryption in the future, Mike Vernal, a Facebook engineer, wrote in a blog post.

Earlier this week, The Wall Street Journal published a report that said many Facebook applications share users' personal information with advertising networks and other Internet-tracking companies. The problem affects tens of millions of Facebook's 500 million users, the Journal said, and all of the social-networking site's top 10 apps.

The report prompted two members of Congress to write to Facebook chief Mark Zuckerberg and demand more details on what type of information was being distributed.

On Thursday, Vernal said "initial press reports greatly exaggerated the implications" of sharing a Facebook user ID (UID) and provided some more details about what happened.

When a browser loads information, the browser sometimes sends an HTTP header that identifies the URL of the page with that information. Certain types of apps written on Facebook Platform known as iframe-based canvas apps might contain the UID of a Facebook user in its URL after that user has authorized an application.

Recommended by Our Editors

Wikipedia Editors Could Strike Following Layoffs
Wikipedia Editors Could Strike Following Layoffs
Blue Origin’s New Glenn Rocket Explodes Spectacularly During Ground Test
Blue Origin’s New Glenn Rocket Explodes Spectacularly During Ground Test
Google Engineer Charged for Using Insider Info to Win $1.2M on Polymarket Bets
Google Engineer Charged for Using Insider Info to Win $1.2M on Polymarket Bets

"This UID is included in order to enable the application to build a personalized experience for the user," Vernal wrote.

In the wake of the Journal story, Vernal said some developers have been using techniques to remove the UIDs from the URL. Developers can issue these fixes on a case-by-case basis, but Vernal said Facebook wanted to "find a solution that would address the issue for all applications on the Facebook Platform." As a result, Facebook will start encrypting the parameters it sends to iframe-based apps, Vernal said.

"The proposal builds on our recent support for a parameter called signed request which is inspired by our discussions in the OAuth community," he wrote. "We will start encrypting this parameter as well, using the application's secret key, so that only the application will be able to read this information. This will prevent the accidental disclosure of this information via HTTP headers."

Initial encryption parameters will be enabled in the next few weeks, and will eventually be applied to various Facebook SDKs. "Once the design is finalized, we will work with our developers to ensure a speedy transition to encrypted parameters," he said.

Vernal concluded by saying that HTTP header sharing is not exclusive to Facebook; it's a "Web-wide problem" and Facebook will work with the Web standards community and browser vendors in the next few months to address the issue, he said.

About Our Expert

Chloe Albanesius

Chloe Albanesius

Executive Editor, News

My Experience

I started out covering tech policy in DC for The National Journal, where my beat included state-level tech news and all the congressional hearings and FCC meetings I could handle. I later covered Wall Street trading tech before switching gears to consumer tech. I now lead PCMag's news coverage.

My Areas of Expertise

Getting my start in DC means I still have a soft spot for tech policy; Congressional hearings can sometimes be as entertaining as a Bravo reality show, for better or worse. But PCMag is all about the technology we use every day, as well as keeping an eye out for the trends that will shape the industry in the years ahead (or flop on arrival). I've covered the rise of social media, the iOS vs. Android wars, the cord-cutting revolution that's now left us with hefty streaming bills, and the effort to stuff artificial intelligence into every product you could imagine. This job has taken me to CES in Vegas (one too many times), IFA in Berlin, and MWC in Barcelona. I also drove a Tesla 1,000 miles out west as part of our Best Mobile Networks project. Of late, my focus is on our hard-working team of reporters at PCMag, guiding and editing their robust coverage.

Read the latest from Chloe Albanesius

Read full bio