Friday, January 28, 2011

new security hole in facebook

I was logged into facebook and just saw the craziest thing; you can have your apps activated and doing things while you aren't signed into facebook.

I am sure you must be thinking, that doesn't make any sense.

Let me describe my steps below:

I was logged into two sessions of facebook (two windows open) and they were both on my home page.

I was using firefox and on one of the sessions went into the mafia wars game application; I then clicked on the second session and signed out of facebook. One would think that by signing out of this session, it would have deactivated my other session as well; it did this to a certain extent. I carried out a few actions in my game, ie. deposited some money etc and was able to do this successfully. I then clicked on the home link and it asked me to sign into facebook.

When I saw this, I re-signed into facebook and re-entered my application and checked to make sure the applications I had carried out in my game had been successful; they had, I was able to recreate this scenario without any problems.

This is significant, if I can do this in mafiawars, can you picture the implications with other applications? What if other applications go further and connect to things like your location, or private pictures? What if you were logged into facebook, on a public computer like in the library?

Something to think about...

1 comment:

  1. Hello. I am an engineer at Facebook. We invalidate all tokens for the app (unless you have granted the app offline_access permission) once you explicitly log out of facebook - i.e. by clicking 'Log Out' within Facebook. I just verified this behavior myself.

    I think actions in the game that did not require the game to talk to facebook for obtaining any user data can continue to work as long as you have a page open for the game. However rest assured that any API calls the game makes to facebook using the access token it obtained when you started the game will fail once you explicitly log out. in other words, there is no user data that the app can obtain from facebook once you log out (assuming you havent granted the app offline_access permission)

    Please let me know if you have any further questions/concerns.