3rd Parties Obtaining Authentication Data from Facebook Application

This is a follow up article for Facebook announces security issue for applications built on it platform.

In this article, let’s take a closer look at the issue.

Right at the beginning of the mail, Facebook advises that

Our automated systems have detected that you may be inadvertently allowing authentication data to be passed to 3rd parties….This violates our policies and undermines user trust in your site and Facebook Platform.

Woo!  It sounds to be a serious issue!  And the most important thing is that it is YOU who has done something, though not intentionally, to allow this to happen.

Then Facebook describes the situation,

In every case that we have examined, this information is passed via the HTTP Referer Header by the user’s browser.

Some of the devloper, especially if you are coding on the application level, may have the following response:

  • HTTP Referer Header?  What’s that!?
  • I have not done anything on HTTP Referer Header!
  • Is this a settings in the user’s browser that open up the security hole?
  • Is this related to server settings?

If you contact the server team, I believe they will tell you they have no problems.

Further reading the mail will tell you more,

This can happen when using our legacy authentication system and including <iframe>, <img> or <script> content from 3rd parties in the page that receives authentication data from Facebook. Our legacy mechanism passes authentication information in the URL query string which, if handled incorrectly, can be passed to 3rd parties by the browser.

So, you will be safe and can ignore Facebook’s mail if

  • you are not using Facebook legacy authentication system
  • Or you are not including <iframe>, <img> or <script> content from 3rd parties in the page that receives authentication data

However, I believe many of us does include 3rd parties content (e.g. ads,  jQuery javascript, google analytic or other similar tracking scripts). Even if you are not including any of these, you probably are using Facebook legacy authentication system.

Facebook legacy authentication system? What’s that?  I know nothing about it and I believe I am not using it ….

If you are the one who ask similar questions, then I can say that you are probably using Facebook legacy authentication system!  This is because if you are not sure about what is “legacy authentication system”, then you should be relying on either the PHP SDK or the Javascript SDK to do the job you.  And I can tell you, both PHP SDK and JS SDK are using the Facebook legacy authentication system!  Don’t ask about the Facebook PHP client library or the Old Javascript Connect JS Library… they are old and I think you could get the answer by just guessing!

Just to make a short conclusion here, I think

MOST OF US are being affected!

Let me know if you are the lucky one!

Don’t get despaired!  There is always a solution to every problem…..

This entry was posted in Authentication, news and tagged , , . Bookmark the permalink.

3 Responses to 3rd Parties Obtaining Authentication Data from Facebook Application

  1. Pingback: Facebook PHP SDK v3.0.0 released! | Wing's Blog on Facebook Development & Virtualization

  2. Robson says:

    After contacting them and they responding that everything was ok, they deleted my app with no further explanation and blocked my account…
    Is there anyway I can recover my app in order to respect my clients??

Leave a Reply

Your email address will not be published. Required fields are marked *