Facebook Application Security
Oct 15, 2007 – 09:33 by RyanWhile developing Smart Links we spent a lot of time thinking about the security model of Facebook applications. We did this to ensure that our users have a reliable experience. Imagine how a user would feel if they went to view a link they added in the application and it wasn’t there. A doubt is placed in their mind that the application doesn’t always work as expected. Perceptions of doubt are lethal for an application.
How does this relate to security? Apart from the lack of an SSL option, the only real issue we found is verifying data ownership. A request from the Facebook servers delivers a message that can be authenticated using a private key. This is great but what application developers need to consider is the ownership of the data and the action requested.
If an application were to blindly modify data based on a request action it would open up the possibility for spam and other malicious action. In Smart Links, if we did not verify the ownership of the data in an action the application would be susceptible to user A modifying the data for user B. A piece of custom software/script would have to be written to exploit this weakness but it’s not outside the capabilities of most software engineers.
In a nutshell, this isn’t a weakness in the Facebook platform but a note for application developers that they need to consider security when developing.
Sphere: Related Content
One Response to “Facebook Application Security”
Ryan,
You make an excellent point. Many application developers fail to consider implementing adequate security measures in order to verify data ownership. Take Moods, Super Wall, and Free Gifts for example. In all three of those applications, User A can very easily modify User B’s data by intercepting a form and modifying the uid before transmission. In addition, with some applications, User A can gain access to stored application data (e.g. history, etc.) for any User B, whether they are friends or not. Such applications blindly trust form data that can easily be tampered with, which is very clearly a bad idea.
At any rate, I am doing some digging and trying to figure out a set of suggestions or best practices to make available to developers in order to make it easier for them to validate a user’s identity and/or privileges (and so they have no excuse to create an insecure application that makes its users unnecessarily vulnerable). Do you have any ideas or suggestions about how to do so, or can you provide any insight given your experience in creating the Smart Links application? Any pointers, tips, or information you can provide about the methods you used to verify data ownership and how you arrived at them, or even any information about application security in general, would be greatly appreciated. You can contact me via e-mail at [principal AT takeoutstudios DOT com], or you can drop by the Developer Forum thread located at [http://forum.developers.facebook.com/viewtopic.php?id=11668]. Thanks alot, and keep up the good work.
-Greg
By Gregory Dracoulis on Mar 12, 2008