Facebook applications may leak users’ private data to third parties, including advertisers, according to researchers at security giant Symantec.

The social network site allows third party applications, the most popular of which are games, to run inside an iFrame, a partition within a web page that allows it to run code from an external site.

Symantec claims that due to a coding error, Facebook’s iFrame applications leak ‘access tokens’ to third parties such as advertisers or web analytics providers, granting them permission to access users’ photos, messages and personal data.

"We estimate that as of April 2011, close to 100,000 applications were enabling this leakage," wrote Symantec research Nishant Doshi in a company blog post. "We estimate that over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties."

The company believes that those parties may not have realised that they could access that data.

Symantec has informed the social networking giant of the issue, it says. "Facebook notified us of changes on their end to prevent these tokens from getting leaked." It recommends that Facebook users change their passwords.

It is not the first time Facebook has been accused of inadvertantly leaking users’ private data. In October last year, two Facebook users sued the company, alleging that the ‘referrer headers’ that tell advertisers when a user has clicked on an ad contain private data about that user’s browsing history.

Facebook denied the charges, arguing that there had been no material damage as a result of the practice. A similar suit has since been launched against LinkedIn, the professional social network popular in the IT industry.