Following Security Problem, Facebook Moves to OAuth 2.0, HTTPS and SSL Certificates

Facebook is telling developers today to plan to migrate to newer security standards on the platform — a mostly-planned migration whose roadmap was accelerated because of a data leak discovered by security firm Symantec. Developers will need to migrate to the OAuth 2.0 open standard by September 1 of this year, and they’ll need to have obtained an SSL certificate (not a straightforward process) by October 1.

The security issue was that some applications that used an older authentication system could have shared access to users with third parties, which is conceptually similar to the leaked user identity numbers issue that got so much attention last fall. In this case, older Facebook iframe-based applications could first ask users for permission for actions such as accessing friends lists or posting to the user’s profile walls, as well as the ability to access their profile when they were offline. Facebook would then send back a permission token to the app, in an insecure format that might then be shared (intentionally or not) with others, such as with advertising networks to use for better ad targeting.

It’s not clear what the scope of the problem is. Symantec, which sells security software and so has a stake in there being problems to solve, estimates that more than 100,000 applications had this problem as of last month. It’s not clear how many apps have been leaking tokens, nor for how long.

In response, Facebook reiterates a variety of security steps it is taking, and it also says it has not seen evidence of the tokens being used in a way that violates its policies (which don’t allow third parties reselling data).

The real-world implications of the issue appear to be this: a subset of users who use apps (some users don’t), who also used apps that were leaking data, may have provided a set of permissions that possibly exposed information and access points to unknown parties. So, without more evidence, probably not that terrible. Or as security researcher Joey Tyson summed up earlier today: “Facebook cred leak: 1) Yrs old, 2) not passwords, 3) not OAuth-specific, 3) hard to fix, 4) has caveats, 5) FB monitors, 6) fix in progress.”

In any case, here’s the developer roadmap for the changes, via the company developer blog post today:

  • July 1: Updates to the PHP and JS SDKs available that use OAuth 2.0 and have new cookie format (without access token).
  • September 1: All apps must migrate to OAuth 2.0 and expect an encrypted access token.
  • October 1: All Canvas apps must process signed_request (fb_sig will be removed) and obtain an SSL certificate (unless you are in Sandbox mode). This will ensure that users browsing Facebook over HTTPS will have a great experience over a secure connection.

Sponsored Post

Hands-On Social Media Training for Beginners


Social Media 101
In our Social Media 101 boot camp, you’ll determine the social media sites that matter most to you, based on personal and professional goals. Starting May 13, you will learn the best practices for using Facebook, Twitter, LinkedIn, Google+, Pinterest, Instagram and Tumblr, along with complete personal profiles on each site. Register today!

Leave a Reply

One Response to “Following Security Problem, Facebook Moves to OAuth 2.0, HTTPS and SSL Certificates”

  1. Facebook Caught Trying to Stab Google in the Back | Black Web 2.0 says:

    [...] applications accidentally leaking data to third parties, again. This last leak caused Facebook to overhaul their security protocols and implement OAuth 2.0, HTTPS and SSL [...]

interested in advertising with inside facebook?

Social Media Jobs
of the Day

Backend Developer

Healthcasts, LLC
New York, NY

Creative Content Maker & Technologist

socialdeviant
Chicago, IL

Websites Project Manager

ThomasNet
New York, NY

Featured Company

Join leading companies like this one and recruit from the nation's top media job seekers on the Mediabistro Job Board. Every job post comes with our satisfaction guarantee. Learn More
 

Our Sponsors

Also from Inside Network:   AppData - Facebook & iOS Application Stats   PageData - Engagement Data on Facebook Pages   Facebook Marketing Bible   Inside Network Research
 
home | site map | advertising/sponsorships | about | careers | contact us | help courses | browse jobs | freelancers | events | forums | content | member benefits | reprints & permissions terms of use | privacy policy Copyright © 2014 Mediabistro Inc. call (212) 389-2000 or email us