This is a follow up article for Facebook announces security issue for applications built on it platform.
In this article, let’s take a closer look at the issue.
Right at the beginning of the mail, Facebook advises that
Our automated systems have detected that you may be inadvertently allowing authentication data to be passed to 3rd parties….This violates our policies and undermines user trust in your site and Facebook Platform.
Woo! It sounds to be a serious issue! And the most important thing is that it is YOU who has done something, though not intentionally, to allow this to happen.
Then Facebook describes the situation,
In every case that we have examined, this information is passed via the HTTP Referer Header by the user’s browser.
Some of the devloper, especially if you are coding on the application level, may have the following response:
- HTTP Referer Header? What’s that!?
- I have not done anything on HTTP Referer Header!
- Is this a settings in the user’s browser that open up the security hole?
- Is this related to server settings?
If you contact the server team, I believe they will tell you they have no problems.
Further reading the mail will tell you more,
This can happen when using our legacy authentication system and including <iframe>, <img> or <script> content from 3rd parties in the page that receives authentication data from Facebook. Our legacy mechanism passes authentication information in the URL query string which, if handled incorrectly, can be passed to 3rd parties by the browser.
So, you will be safe and can ignore Facebook’s mail if
- you are not using Facebook legacy authentication system
- Or you are not including <iframe>, <img> or <script> content from 3rd parties in the page that receives authentication data
Facebook legacy authentication system? What’s that? I know nothing about it and I believe I am not using it ….
Just to make a short conclusion here, I think
MOST OF US are being affected!
Let me know if you are the lucky one!
Don’t get despaired! There is always a solution to every problem…..