Facebook and GitHub Comes up Together to Remove Leaked API Tokens

Secret scanning will scan your GitHub repository for any secrets.

Facebook security team officially joins partnership with GitHub team to search and invalidate the Facebook API access tokens that have been accidentally been uploaded and leaked inside GitHub repositories.

Both's teams will work on the GitHub Secret Scanning project, a GitHub security feature that scans all new code uploaded on the GitHub platforms for strings that look like passwords and access tokens. On scanning, if the project found strings that match with the API access tokens formats then GitHub pushes the alerts notification to the project owner or code developer for exposure or leaks.

GitHub has already added support for detecting Facebook API tokens, but with this new official partnership, GitHub will now also send details about exposed tokens to Facebook (or to Meta, Facebook's new corporate name).

“Access tokens with a valid session will be automatically invalidated,” a Meta spokesperson said today. “When an access token is invalidated, the app admin will be notified via the Developer Dashboard.”

This partnership will help the developer to prevent the heist situation, as exposed Facebook tokens can be used to silently harvest Facebook data, extract personal information from a developer’s third-party Facebook app or game, or just send spam and malicious files to regular Facebook users.