4 Comments »Chris Soghoian has an interesting article about how a number of application developers are failing to protect against extremely basic security risks. For instance, a user can monitor all post and get requests (a system for passing data from a form which prompts users for information) coming from an application form and modify it prior to submitting the data to the application server.
The result is that hackers could theoretically spoof their identity. This is an issue that most websites are also vulnerable to. Not only are these applications vulnerable to potential spoofing attacks but occasionally they are at risk of typical SQL injection attacks. The experienced developer will build these protections into their scripts.
Given that many of these applications aren’t built by experienced developers though, there is an increasing risk that sensitive data gets manipulated. Personally, I think there are enough protections in place on Facebook’s end but the Surveillance State team is trying to paint a different picture.
I’m sure we will occasionally see an application get exploited but for the most part, Facebook has done a pretty good job in protecting against security risks.
All requests from fb pass a signature using a shared secret key. There is no way a hacker could generate this sig without knowing the secret key. The default libraries use this key to validate the user, so anyone simply following the example apps would have a pretty secure app.
All requests from fb pass a signature using a shared secret key. There is no way a hacker could generate this sig without knowing the secret key. The default libraries use this key to validate the user, so anyone simply following the example apps would have a pretty secure app.
Ha! I saw this coming five months ago. Scope this post….
http://deftlabs.com/2007/10/facebook-applicatio...
Ha! I saw this coming five months ago. Scope this post….
http://deftlabs.com/2007/10/facebook-application-security/