Meta User Token
Service Name: Meta (Facebook)
Service Description: Meta Platforms, Inc. (formerly Facebook, Inc.) is a technology company that owns and operates Facebook, Instagram, WhatsApp, and other products and services. Meta user tokens are used to authenticate and authorize API requests to Meta's platforms.
Service Address: https://developers.facebook.com/
Validation Type: API Auth
IP Allow list: Does not exist
Secret Access Scope: Grants access to Meta platforms (Facebook, Instagram) APIs based on the permissions associated with the token. Can be used to read user data, post content, or perform other actions on behalf of a user.
Secret Revokement URL: https://developers.facebook.com/tools/accesstoken/
Secret Example: EAAWXmZCnF0ycBAJZCVrZBZAMrZAZBVUZCXmZBZCnF0ycBAJZCVrZBZAMrZAZBVUZCXmZBZCnF0ycBAJZCVrZBZAMrZAZBVUZCXmZBZCnF0ycBAJZCVrZBZAMrZAZBVUZCXmZBZCnF0ycBAJZCVrZBZAMrZAZBVUZCXmZBZCnF0ycBAJZCVrZBZAMrZAZBVUZCXmZBZCnF0ycBAJZCVrZBZAMrZAZBVUZCX
Suspicious Activity Investigation Instructions:
- Review the Meta Developer Dashboard for unauthorized API calls or unusual activity patterns
- Check for unexpected app permissions or changes to app settings
- Examine the token's debug information to verify its origin and permissions
- Review Facebook Business Manager for any unauthorized ad campaigns or spending
- Check for unusual posts, messages, or activities on connected accounts
Mitigation Instructions:
- Immediately revoke the exposed token through the Meta Developer Dashboard
- Generate a new token with appropriate permissions
- Review and update app permissions to follow the principle of least privilege
- Enable additional security features like app review for sensitive permissions
- Update any code repositories to remove the exposed token and use environment variables instead
- Consider implementing token rotation policies for better security