Facebook gives app devs 48hrs to fix security issues - Teckeela

May 17, 2011

Facebook gives app devs 48hrs to fix security issues

Facebook has been sending emails to application developers to resolve the security concerns that may have arisen due to apps still using older authentication methods that allow third parties to gain access over user's account.

Last week Symantec wrote a report on their blog which said that about 100,000 FB apps allowed leakage of data. Following this, facebook asked all developers to move to OAuth 2.0 by September 1. But that's too far away. So it has been asking developers to either make a temporary fix to this or directly move to OAuth 2.0 within 48hrs. The following cut out is from the email by FB

Our automated systems have detected that you may be inadvertently allowing authentication data to be passed to 3rd parties. Allowing user ids and access tokens to be passed to 3rd parties, even inadvertently, could allow these 3rd parties to access the data the user made available to your site. This violates our policies and undermines user trust in your site and Facebook Platform.
Our legacy mechanism passes authentication information in the URL query string which, if handled incorrectly, can be passed to 3rd parties by the browser. Our current OAuth 2.0 authentication system, released over a year ago, passes this information in the URL fragment, which is not passed to 3rd parties by the browser. 
If you discover the issue, you can do one of two things: 
1. Migrate your site to use our OAuth 2.0 authentication system. We are requiring all apps and sites to update to this mechanism by Sept. 1, 2011. Migrating now will address this issue and ensure that you are one of the first to meet the deadline. For more details, please see our Authentication Guide. 
2. Create and use an interstitial page to remove the authentication data before redirecting to your page with 3rd party content. This approach is used by many of our largest developers today (although they are all migrating to OAuth 2.0 shortly). This is a simple and straightforwardchange that should have minimal impact on your site. For more details on this approach, see our Legacy Connect Auth doc. 
Because of the importance of ensuring user trust and privacy, we are asking you to complete one of the above steps in the next 48 hours. If you fail to do so, your site may be subject to one of the enforcement actions outlined in our policies.

No comments:

Post a Comment