Monday, May 16, 2011

Facebook To Lazy Developpers, Fix Authentication Leaks Or Else.

Facebook is serious about autentication leaks that Symantec discovered last week. Facebook also had a blog post on Oauth 2.0 requirement that will go in to effect on September 1 this year. Oauth 2.0 is supposed to be more secure.
But Facebook is not letting those leaky apps that Symantec exposed, sit idle till September 1, 2011. Those developers have received the following email from facebook;

Our automated systems have detected that you may be inadvertently allowing authentication data to be passed to 3rd parties. Allowing user ids and access tokens to be passed to 3rd parties, even inadvertently, could allow these 3rd parties to access the data the user made available to your site. This violates our policies and undermines user trust in your site and Facebook Platform.
In every case that we have examined, this information is passed via the HTTP Referer Header by the user’s browser. This can happen when using our legacy authentication system and including

No comments: