Facebook to work with GitHub to invalidate leaked API access tokens

The Meta security team announced today an official partnership with GitHub through which the two teams will work together to invalidate Facebook API access tokens that have accidentally been uploaded and leaked inside GitHub repositories.

The partnership is part GitHub Secret Scanning, a GitHub security feature that scans all new code uploaded on the GitHub platforms for strings that look like API keys and access tokens.

If these strings match a known format, GitHub alerts the project owner about the accidental exposure.

Formally launched in March this year, GitHub added support for detecting Facebook API tokens a month later, in April 2021.

But today, Meta (Facebook's new corporate name) said it officially partnered with GitHub, and the two companies will work together going forward.

The change is that GitHub will now scan public repositories for Facebook access tokens. It previously only scanned private ones.

"Access tokens with a valid session will be automatically invalidated," a Meta spokesperson said today. "When an access token is invalidated, the app admin will be notified via the Developer Dashboard."

The partnership comes to help developers as this prevents situations where the exposed token is spotted by a malicious party before the real owner.

Exposed Facebook tokens are a very sensitive matter for Meta, as they can be used to silently harvest Facebook data, extract personal information from a developer's third-party Facebook app or game, or just send spam and malicious files to regular Facebook users.