Following Security Problem, Facebook Moves to OAuth 2.0, HTTPS and SSL Certificates

Facebook is telling developers today to plan to migrate to newer security standards on the platform — a mostly-planned migration whose roadmap was accelerated because of a data leak discovered by security firm Symantec. Developers will need to migrate to the OAuth 2.0 open standard by September 1 of this year, and they’ll need to have obtained an SSL certificate (not a straightforward process) by October 1.

The security issue was that some applications that used an older authentication system could have shared access to users with third parties, which is conceptually similar to the leaked user identity numbers issue that got so much attention last fall. In this case, older Facebook iframe-based applications could first ask users for permission for actions such as accessing friends lists or posting to the user’s profile walls, as well as the ability to access their profile when they were offline. Facebook would then send back a permission token to the app, in an insecure format that might then be shared (intentionally or not) with others, such as with advertising networks to use for better ad targeting.

It’s not clear what the scope of the problem is. Symantec, which sells security software and so has a stake in there being problems to solve, estimates that more than 100,000 applications had this problem as of last month. It’s not clear how many apps have been leaking tokens, nor for how long.

In response, Facebook reiterates a variety of security steps it is taking, and it also says it has not seen evidence of the tokens being used in a way that violates its policies (which don’t allow third parties reselling data).

The real-world implications of the issue appear to be this: a subset of users who use apps (some users don’t), who also used apps that were leaking data, may have provided a set of permissions that possibly exposed information and access points to unknown parties. So, without more evidence, probably not that terrible. Or as security researcher Joey Tyson summed up earlier today: “Facebook cred leak: 1) Yrs old, 2) not passwords, 3) not OAuth-specific, 3) hard to fix, 4) has caveats, 5) FB monitors, 6) fix in progress.”

In any case, here’s the developer roadmap for the changes, via the company developer blog post today:

  • July 1: Updates to the PHP and JS SDKs available that use OAuth 2.0 and have new cookie format (without access token).
  • September 1: All apps must migrate to OAuth 2.0 and expect an encrypted access token.
  • October 1: All Canvas apps must process signed_request (fb_sig will be removed) and obtain an SSL certificate (unless you are in Sandbox mode). This will ensure that users browsing Facebook over HTTPS will have a great experience over a secure connection.

Strategic Mobile Marketing

Mediabistro Course

Strategic Mobile Marketing

On October 21. work with the digital strategy director for Saatchi & Saatchi to develop a marketing strategy for smartphones, tablets, and mobile devices! You’ll learn how to optimize content for mobile, create responsive landing pages, and track all mobile efforts. Register now!

 

Leave a Reply

One Response to “Following Security Problem, Facebook Moves to OAuth 2.0, HTTPS and SSL Certificates”

  1. Facebook Caught Trying to Stab Google in the Back | Black Web 2.0 says:

    [...] applications accidentally leaking data to third parties, again. This last leak caused Facebook to overhaul their security protocols and implement OAuth 2.0, HTTPS and SSL [...]

Get the latest news in your inbox
interested in advertising with inside facebook?

Social Media Jobs
of the Day

Communications Coordinator

National Science Teachers Association
Arlington, VA

Social Media Coordinator (Part Time)

Stanton Carpet
Syosset, NY

Social Media Manager

Aeon Media
San Francisco, CA

Director of Communications

Coin Center
Washington, DC

Digital Strategies Coordinator

IslandWood
Bainbridge Island, WA

Featured Company

Join leading companies like this one and recruit from the nation's top media job seekers on the Mediabistro Job Board. Every job post comes with our satisfaction guarantee. Learn More
 

Our Sponsors

Mediabistro A division of Prometheus Global Media home | site map | advertising/sponsorships | careers | contact us | help courses | browse jobs | freelancers | content | member benefits | reprints & permissions terms of use | privacy policy Copyright © 2014 Mediabistro Inc. call (212) 389-2000 or email us