Chris Soghoian has an interesting article about how a number of application developers are failing to protect against extremely basic security risks. For instance, a user can monitor all post and get requests (a system for passing data from a form which prompts users for information) coming from an application form and modify it prior to submitting the data to the application server.
The result is that hackers could theoretically spoof their identity. This is an issue that most websites are also vulnerable to. Not only are these applications vulnerable to potential spoofing attacks but occasionally they are at risk of typical SQL injection attacks. The experienced developer will build these protections into their scripts.
Given that many of these applications aren’t built by experienced developers though, there is an increasing risk that sensitive data gets manipulated. Personally, I think there are enough protections in place on Facebook’s end but the Surveillance State team is trying to paint a different picture.
I’m sure we will occasionally see an application get exploited but for the most part, Facebook has done a pretty good job in protecting against security risks.
![[Inside Social Apps 2012]](http://www.allfacebook.com/wordpress/wp-content/themes/allfacebook2/images/ISA2012_336x100_F_RegisterNow.gif)
![[AllFacebook Stats: Facebook Analytics for Your Business]](http://www.allfacebook.com/wordpress/wp-content/themes/allfacebook2/images/stpro_allfacebookstats.gif)
![[How can Facebook change your business?]](http://www.allfacebook.com/wordpress/wp-content/themes/allfacebook2/images/FMB_A_MAY2011_336x100_F.gif)
All requests from fb pass a signature using a shared secret key. There is no way a hacker could generate this sig without knowing the secret key. The default libraries use this key to validate the user, so anyone simply following the example apps would have a pretty secure app.
Comment by Tom — March 28, 2008 @ 6:45 am
All requests from fb pass a signature using a shared secret key. There is no way a hacker could generate this sig without knowing the secret key. The default libraries use this key to validate the user, so anyone simply following the example apps would have a pretty secure app.
Comment by Tom — March 28, 2008 @ 10:45 am
Ha! I saw this coming five months ago. Scope this post….http://deftlabs.com/2007/10/facebook-applicatio…..
Comment by Ryan — March 31, 2008 @ 3:49 am
Ha! I saw this coming five months ago. Scope this post….
http://deftlabs.com/2007/10/facebook-application-...
Comment by Ryan — March 31, 2008 @ 4:49 am
Actually,nothing is security absolutely in the network?while we
only protect it as much as possible,such as firewall.
Comment by evamagi — June 2, 2010 @ 8:41 pm